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Preface 



The 8th Annual Financial Cryptography Conference was held during 9-12 Febru- 
ary 2004 in Key West, Florida, USA. The conference was organized by the In- 
ternational Financial Cryptography Association (IFCA). 

The program committee, which comprised 25 members, reviewed 78 submis- 
sions, of which only 17 were accepted for presentation at the conference. This 
year’s conference differed somewhat from those of previous years in its con- 
sideration of papers devoted to implementation, rather than purely conceptual 
research; one of these submissions was presented at the conference. This repre- 
sented a movement in the conference toward practical problems and real-world 
perspectives as a complement to more traditional academic forms of research. 

In this spirit, the program included a number of excellent invited speakers. 
In the opening talk of the conference, Jack Selby threw down the gauntlet, de- 
scribing some of the achievements of the PayPal system, but also enumerating 
reasons for the failures of many elegant e-cash schemes in the past. Ron R.ivest, 
in contrast, described an emerging success in the cleverly conceived Peppercoin 
micropayment system. Jacques Stern enlightened us with his experience in the 
cryptographic design of banking cards in France. Simon Pugh unveiled some de- 
tails of a new generation of wireless credit card. Finally, in deference to the many 
consumers in the world lacking either techno-savvy or technological resources 
that we often too easily take for granted, Jon Peha described a fielded banking 
system that avoids reliance on conventional financial infrastructures. Thanks to 
all of these speakers for rounding out the conference with their expertise and 
breadth of vision. 

The conference also included a panel, moderated by Andrew Patrick, on 
usability and its impact on security. This was a salutary and engaging reminder 
of how security means much more than cryptography alone. 

I wish to thank the program committee for their diligence and care in review- 
ing papers, and in some cases for providing highly detailed comments to submit- 
ters. I would also like to thank the external referees who lent help in reviewing 
papers: Danny Bickson, Liad Blumenreich, Julien Brouchier, Dario Catalano, 
Benoit Chevallier-Mames, Pierre- Alain Fouque, Zvika Guterman, Helena Hand- 
schuh, Stanislaw Jarecki, Ofer Margo, Nick Mathewson, Pascal Paillier, Elan 
Pavlov, Ludovic Rousseau, Yaron Sella, and Jessica Staddon. 

Thanks to the IFCA directors and officers for their guidance in conference 
arrangements. I am grateful to Moti Yung for chairing the rump session, an 
evening of short, informal presentations on ideas in the making or the breaking. 
Thomas Herlea of KU Leuven was very helpful as administrator of the confer- 
ence submission server. Also thanks to Hinde ten Berge, who served as General 
Chair, overseeing not only the local arrangements for this conference, but also 
the publication of the preproceedings. 




VI 



Preface 



Finally, thanks to all of the contributors of the scientific papers to the con- 
ference. As in previous years, participants enjoyed not only mentally stimulating 
presentations, but also the ample sunshine - a nearly forgotten delight for many 
delegates from northern countries. 

From its beginning, Financial Cryptography has been something of a haven 
for cryptographic mavericks and a meeting-point for researchers, scientists, fi- 
nanciers, and hands-on implementers. As the conference matures, let us look to 
see its early spark of originality continue to thrive in the conference hall and on 
the beaches. 



April 2004 



Ari Juels 
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Analyzing the Success and Failure 
of Recent e-Payment Schemes 
(Abstract) 



Jack R. Selby* 

Clarium Capital Management LLC 
San Francisco, CA, USA 

j ack@clariumcapital . com 
www . clariumcapital . com 



The advent of the Internet was believed to be a critical factor in accelerating the 
ease of distribution and overall adoption of “E-Payment” schemes. However, the 
“dot-com” boom of the late 1990’s yielded few successful new payment systems. 
Instead, many recurring problems plagued the Internet-based schemes, and an 
examination of these persistent pitfalls suggests necessary changes in approach 
for future “E-Payment” entrepreneurs. 

By a very wide margin, PayPal, Inc. represents the most successful new “E- 
Payment” scheme hatched during the Internet boom. With more than 30 million 
users and a profitable business model, PayPal today is owned fully by eBay after 
a $1.4 billion dollar acquisition (concluded in October 2002). Why did PayPal 
succeed when others failed? 

First, PayPal designed a new payment scheme specifically for a clear demand 
from buyers and sellers. Specifically, PayPal addressed the inefficiencies endemic 
with paper (checks, money orders, et al) payments. Additionally, PayPal fo- 
cused on the expensive nature of credit card processing, especially for small and 
medium enterprises (SMEs) which often struggle to afford the fixed cost and 
fraud component of processing plastic payments. Second, PayPal tapped a mar- 
ket of tremendous size and scope - the online auction market. Markets like eBay 
enabled PayPal to spread rapidly and scale as a business model (spread fixed 
costs across rapid top-line revenue growth). Finally, PayPal mastered many of 
the operation complexities that doomed many of its competitors, in particular 
fraud prevention and customer service. 

Why did other new payment schemes fail? Some premised their businesses 
on “partnerships” with financial institutions for distribution agreements. These 
arrangements often became mired in bureaucracy while running afoul of the 
“not invented here” syndrome common within the industry. Other new payment 
schemes developed technologies without any regard for real consumer or mer- 
chant demand. These “over-engineered” applications, while elegant in design, 
failed to translate to practical and useful improvements over current payment 
options. 

* Managing Director, Clarium Capital LLC. Former Senior Vice President and Cor- 
porate Officer of PayPal, Inc. (NASDAQ: PPYL) 
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Peppercoin Micropayments 



Ronald L. Rivest 

Computer Science and Artificial Intelligence Laboratory 
Massachusetts Institute of Technology 
Cambridge, MA 02139 
rivest@mit . edu 



Abstract. We present the “Peppercoin” method for processing micro- 
payments efficiently. With this method, a fraction of the micropayments 
received are determined, via a procedure known as “cryptographic se- 
lection,” to qualify for upgrade to a macropayment. The merchant de- 
posits the upgraded micropayments as macropayments, and merely logs 
locally the non-qualifying micropayments. In this manner, the merchant 
transforms a large collection of small micropayments into a smaller col- 
lection of macropayments, of the same total expected value. The mer- 
chant pays much less for processing the resulting macropayments, since 
there are fewer of them. Consumers are billed for exactly the amount 
they spend, based on auxiliary information recorded in each micropay- 
ment. The method is highly secure, and compatible with existing pay- 
ment mechanisms such as credit cards. 



1 Introduction 

The Peppercoin micropayment system is due to Micali and Rivest [MR02]; we 
refer the reader to their original paper for more details. Here we give only a 
high-level description of the method. 

For this paper, a “micropayment” is any payment that is small enough that 
processing it is relatively costly, as a percentage of the overall transaction value. 
Given that typical credit card processing fees may be twenty-five cents per trans- 
action, we may consider a “micropayment” to be any payment under $10. 

We view the introduction of efficient micropayments into the world of internet 
e-commerce as potentially as significant as the invention of metal coins by the 
Lydians in 640 B.C. Coins turned out to be a signficant market enabler - the 
first retail markets evolved soon thereafter. 

Today, it is clear that small electronic payments will soon become common- 
place. Not only to pay for music downloads (note the recent success of Apple’s 
iTunes), but also for other digital downloads and other digital goods and services. 
Small electronic payments will begin to replace metal coins and small paper bills 
for real-world purchases as well. 

Efficient processing is essential for a successful micropayment method; it 
makes no sense to charge twenty-five cents to process a ten-cent payment! 

Other important factors include ease-of-use, security, and compatibility with 
the existing payment infrastructure. 
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2 Aggregation Methods 

The key to efficient processing of micropayments is, of course, the aggregation 
of many small micropayments into a few larger macropayments. We distinguish 
four levels of potential aggregation, of increasing efficiency. 

2.1 No Aggregation 

When no aggregation is done, each payment, no matter how small, makes its 
way around the entire payment cycle, from purchaser to merchant to merchant 
(acquiring) bank to consumer (issuing) bank to consumer (for billing). [Or the 
equivalent, depending on whether this is a debit or credit system.] Having every 
party touch every payment in this manner is extremely inefficient and costly. 
Chaum’s Digicash system [Cha83] is an example of a payment system with no 
aggregation. (To be fair, the emphasis of his design was on anonymity rather 
than efficiency for micropayments.) 

2.2 Session-Level Aggregation 

With session-level (also known as merchant-level) aggregation, the merchant 
collects several small payments from a given consumer - say all of those spent by 
that consumer during one day - and submits a macropayment representing the 
aggregate amount due at the end of the day or session. This method only works 
sometimes: when the consumer makes repeated small purchases at the same 
merchant within a short time period; it doesn’t work in general. Pay Word [RS97] 
is an example of a method based on session-level aggregation. 

2.3 Aggregation by Intermediation 

Another approach to provide aggregation is to create a new intermediary that all 
consumers and merchants must interact with in order to process micropayments. 
This intermediary attempts to keep track of all micropayments made by each 
consumer at any participating merchant, and then submit for processing by 
the ordinary banking system only payments that represent the entire amount 
spent by that consumer during the given time period, or the entire amount 
to be received by a given merchant during that time period. This approach 
still requires handling of each payment by the intermediary, who is tasked with 
replicating the functionality of the entire existing banking system, at lower cost! 
Clearly, the way towards success should be by reducing the amount of mechanism 
and processing involved, not by increasing it! 

2.4 Universal Aggregation 

The “Peppercoin” method uses universal aggregation, which we sometimes also 
call cryptographic selection or many /many /many aggregation, since it aggregates 
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smoothly across many consumers, many merchants, and many payment service 
providers. 

With universal aggregation, each participating merchant processes micropay- 
ments directly, using special cryptographic software. 

The software first checks the validity of the micropayment - for example, by 
checking the consumer’s digital signature on that micropayment. If the micro- 
payment is valid, the merchant then completes the transaction and delivers the 
purchased goods to the consumer. 

The software then checks whether the micropayment “qualifies for an up- 
grade” (to a macropayment). If the micropayment does not qualify for an up- 
grade, the merchant merely logs the micropayment, and need do no further pro- 
cessing. If the micropayment does qualify for an upgrade to a macropayment, 
then the merchant will deposit that micropayment as a macropayment with his 
bank. 

The size of the resulting macropayment will be a fixed system parameter, 
such as $10 or $20. 

The fraction of micropayments that qualify for such an upgrade depends on 
the size of the micropayments. For example, for ten-cent micropayments and 
a $10 macropayment size, approximately one in every 100 micropayments will 
qualify for such an upgrade to a $10 macropayment. 

It is easy to see that the merchant expects to receive the same amount on 
the average, since one hundred ten-cent micropayments has the same net value 
as one ten-dollar macropayment. 

Indeed, the merchant should be very happy with such a procedure, since 
he is now only paying a single transaction processing fee (for the ten-dollar 
macropayment) instead of one hundred transaction processing fees (for each of 
the micropayments). Universal aggregation turns what was probably a money- 
losing proposition into a profitable operation for the merchant! 

The qualification procedure is cryptographic in nature, so that neither the 
consumer nor the merchant can affect the decision as to whether a particular mi- 
cropayment will qualify for upgrade. The qualification procedure depends upon 
the merchant’s digital signature on data derived from the micropayment, so that 
other parties, such as the merchant’s and consumer’s banks, can check that a 
given micropayment did indeed qualify for upgrade. 

While one may loosely think of the qualification procedure as selecting a 
given micropayment for upgrade “with a certain probability,” the qualification 
procedure is in fact deterministic and not randomized - the merchant’s digital 
signature method will be a deterministic signature method. 

It is important to note that each micropayment is tested for qualification 
for upgrade independently of each other micropayment. The merchant does not 
need to keep any sort of records of previous transactions, cumulative amount 
spent by each consumer, or the like; this simplicity permits very elegant and 
clean implementations for the merchant. 

When a particular micropayment qualifies for an upgrade to a macropayment, 
and is turned in for a $10 deposit by the merchant, who pays the merchant the 
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$10? It may be awkward to bill the consumer, since it may be his very first 
micropayment . 

The Peppercoin system ensures that a consumer is never billed for more 
than he has spent. This is accomplished by having each micropayment indicate 
the total cumulative value of the consumer’s expenditures to date. The con- 
sumer’s bank sees these values every so often, when it sees micropayments from 
the consumer that have been upgraded to macropayments, and can thus incre- 
mentally bill the consumer appropriately. The consumer’s bank thus acts as a 
financial “buffer” between the cash outlays to merchants and the receipts from 
the consumer, in a manner very similar, but not identical, to what happens with 
standard credit card processing. The cryptographic nature of the qualification 
process ensures that the cash flows of the consumer’s bank will (almost exactly) 
balance, as they grow in value. The use of cryptography - based on digital sig- 
natures by consumers and merchants - also prevents various forms of fraud of 
one or two parties against the other (s). 

Universal aggregation excels for processing micropayments, since the micro- 
payments exist as such only in the hands of the consumers and merchants, who 
are in any case involved with other transaction details as well. Deposits made by 
the merchant are solely in the form of macropayments. Consumers are only billed 
for the amount they have spent at all merchants over the billing period (e.g. one 
month), which will not be a micropayment (for most consumers). There is no 
intermediary involved who has to handle every payment. Thus, universal aggre- 
gation provides a clean and simple way to extend an existing payment system, 
such as a credit-card system, to the realm of micropayments. 



3 Other Issues 

3.1 Ease of Use 

The basic Peppercoin method can be implemented in a variety of ways, to max- 
imize ease-of-use for the consumer in a given situation. For example, while the 
basic Peppercoin method requires that each consumer have digital signature ca- 
pability, one can easily eliminate this requirement by having a party trusted by 
the consumer sign the payments for him as a proxy; this might be a natural 
approach in a web-services environment. 

The Peppercoin method can also be implemented so that it feels to the con- 
sumer as a natural extension of his existing credit-card processing procedure, 
further increasing consumer acceptance and ease-of-use. 

3.2 Scalability 

The Peppercoin micropayment system scales easily to very large implementa- 
tions, since all of the “real work” involving micropayments is handled by the 
consumer and merchant directly, and since the system works naturally with a 
variety of financial institutions representing the consumer and the merchant. 
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3.3 Non-interactivity 

The Peppercoin method is non-interactive in the sense that a Peppercoin mi- 
cropayment can be emailed or transmitted directly from consumer to merchant. 
There is no need for the merchant to interact with the consumer during the 
payment process, or even to be on-line at the time of the payment. 

This non-interactivity means, for example, that Peppercoin micropayments 
could conceivably be used in applications such as spam-prevention, where it has 
often been proposed that spam could be reduced by requiring a micropayment 
with each email sent. 

3.4 Low-Cost Qualification Procedures 

The simple universal aggregation method described above requires the merchant 
to compute a digital signature for every micropayment received. For some mer- 
chants, who are processing a very high volume of very low-priced goods, this 
may be a bit of a burden. 

It is possible to reduce this computation cost considerably, by modifying 
the qualification procedure slightly. For example, it may depend only on the 
merchant’s signature on the time of the micropayment, measured to the nearest 
minute. Then the merchant need only compute one digital signature per minute. 
A different approach to reducing computation time can be based on having the 
server compute a “Merkle tree” [Mer79] to hash together many micropayments, 
and then compute a digital signature on the root. 



3.5 Variable-Sized Payments 

Although this point may already be clear, we emphasize that the Peppercoin 
micropayment system handles micropayments of varying sizes in a smooth and 
efficient manner. The only relevant factor is the ratio between the macropay- 
ment size and the micropayment size. For example, if macropayments are ten 
dollars and a micropayment is ten cents, this ratio is one-hundred; in this case 
the qualification procedure ensure that one out of every one hundred ten-cent mi- 
cropayments, on the average, qualifies for an upgrade to a macropayment. Thus, 
as an additional example, one-dollar micropayments would qualify for upgrade 
one out of every ten times, on the average, to a ten-dollar macropayment. 



3.6 Revenue Variance 

The merchant will see a dramatic reduction in his costs for processing transac- 
tions, since he is requesting processing for a small number of macropayments 
instead of a large number of micropayments. 

But the merchant may worry that the qualification procedure might leave him 
nonetheless somehow at a disadvantage, since during a given period a unusually 
small number of micropayments might qualify for upgrade. 
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Fortunately, this worry is easily determined, with a little analysis, to be a 
non-issue. The cost-savings provided by Peppercoin, which provide a benefit to 
the merchant on each and every transaction, and which grow cumulatively in 
value as he processes more transactions, are going to overwhelm any “jitter” 
in the qualification decisions, which are unbiased. The following theorem is one 
example of such analysis, comparing a Peppercoin implementation which charges 
a fee of pT for processing each transaction of value T, versus another system that 
charges qT for processing each transaction of value T. 

Theorem 1. If a Peppercoin implementation which charges a fee of pT for pro- 
cessing each transaction of value T, while another system that charges qT for 
processing each transaction of value T, then once the total number of macropay- 
ments (qualifying micropayments) exceeds 

( 5 /(q~p)) 2 

the probability is 999,999 out of 1,000,000 that the merchant’s net total receipts 
will be higher with Peppercoin than with the other system. 

As an example, consider a scenario where a Peppercoin-based system offers 
to process ten-cent payments for a penny each (i.e. , p = 0.1; quite feasible with 
Peppercoin), while competitor C offers to process them for three cents each 
(i.e., q = 0.3; very hard to achieve without using a selection procedure such as 
Peppercoin’s). Thus, q — p = 0.2, and the merchant will almost surely be ahead 
with Peppercoin after only (5/0. 2) 2 = 625 macropayments. This is a rather 
worst-case estimate, and the merchant is likely to be ahead with Peppercoin 
from the start. 

4 Summary 

The Peppercoin universal aggregation method for processing micropayments of- 
fers low-cost processing, even for very small payments, with a high-degree of 
security. It can be implemented in an easy-to-use manner that extends existing 
payment mechanisms. 

More details can be found on the Web [Pep,Riv]. 
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Abstract. With the explosive growth of mobile communications, users 
may often access value-added services through foreign service providers. 
These providers will interact directly with users, later providing details 
to a user’s home service provider regarding the services rendered; the 
home service provider, in turn, bills the user. One critical concern is that 
the foreign service provider might inflate the usage figures it furnishes to 
the home service provider. In this paper, we address this issue using a mi- 
crocredit scheme. The scheme is efficient as the verification time required 
by the home service provider is only logarithmic in the number of micro- 
credit transactions, and the verification time required by the foreign ser- 
vice provider is constant. Moreover, the communication complexity per 
microcredit transaction between the user and foreign service provider 
is also constant. The scheme uses QuasiModo trees, which have been 
previously applied to certificate revocation. It improves upon previous 
chain-based proposals and their tree-based analogues. As a byproduct, 
our scheme yields a micropayment protocol which is an improvement over 
tree schemes with respect to both communication complexity and time 
complexity (in both cases by a factor of approximately 2, amortized). 

Keywords: Metering, Micropayments, Microcredits, QuasiModo trees. 
Category: Research. 



1 Introduction 

As mobile wireless computing becomes more prevalent, home service providers 
(HSPs) will look to offer an ever-increasing number of value-added services to 
their customers. In many cases, these services will be offered through foreign 
service providers (FSPs), with whom some type of prior arrangement has been 
established. The FSP reports the amount of service accessed by the user to the 
HSP who, in turn, bills the user an amount commensurate with the usage. This 
type of situation occurs today in the case of cellular phone service where users 
who are roaming may connect through someone other than their home service 
provider. As the number of services begins to grow, so too will the number of 
FSPs. This phenomena will create an interesting security issue - namely, to what 
extent can the user and HSP trust the FSP? 

So Many FSPs, So Little Trust. Two critical security issues arise when a 
user U who has a prior relationship with the HSP accesses a service through the 
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FSP. The first is to prevent the FSP from overstating the amount of service U 
actually used. The second is to prevent IA from accessing more service than he 
will later be billed for. These issues are critical since trustworthiness in FSPs 
will likely degrade with their proliferation. If the FSPs cheat, then not only are 
users victimized, but the ancillary dispute resolution costs incurred by the HSP 
might be prohibitively high. Likewise, if the users cheat, it could significantly 
cut into the profit margins of the FSPs who would otherwise resell their services 
at discounted wholesale prices to the HSP. Allegations of such cheating are not 
uncommon, even for large service providers [10]. 

Naive Solution. Using techniques from micropayments we can put forth a 
simple approach for addressing the above problem; for concreteness, we consider 
hash-chain based micropayment schemes [1,15,16,19]. Recall that a length- 
preserving function / is said to be one way on its iterates if, for any i, given 
P(x), it should be hard to find a pre-image z such that f(z ) = P(x), except 
with negligible probability. The user U computes a chain consisting of tokens 
or values: xo, ... , x m , where x m is chosen at random from the domain of / and 
Xi = f(xi + 1 ) for i £ {0, . . . , m — 1}, and obtains the HSP’s signature on ( Xo , m). 
When U makes use of the service via the FSP, he provides it with (xo ,m) and 
HSP’s signature. At each successive interval, such as when a certain amount of 
time passes or perhaps with each packet sent, U releases the next consecutive 
value in the chain. The FSP, having verified the HSP’s signature, checks that the 
chain element hashes to the starting point Xq. Finally, when use of the service is 
terminated, the FSP provides the HSP with the last chain value it received. If 
Xt is the last value sent, then U is billed for using t intervals of service. 

The above approach has several drawbacks. First, it imposes a burden on the 
HSP, since it not only has to compute a digital signature every time IA wants 
to initiate a session with the FSP, but it also has to traverse the chain, which 
requires t invocations of /. Given that a single HSP may have millions of users, 
each of whom may access a service for a large number of intervals, it is clear 
that the above approach does not scale well. We present schemes where the HSP 
performs Llog 2 (f)J + 1 hashes during the verification phase; note that this value 
is independent of the number of tokens m initially generated. Before proceeding, 
we explicitly identify some design goals. 

Design Goals. We want a solution with the following security properties: 

— Neither the FSP nor the HSP can overcharge U. In particular, should there 
be any dispute, one or both parties can produce evidence that the user did 
indeed use the amount of service for which it is being billed. 

— IA cannot obtain more service than it will actually be billed for. In particular, 
should the user try to obtain extra service, the FSP should be able to detect 
this immediately and apply an appropriate policy, such as terminating the 
service - perhaps with some advance warning. 

Furthermore, we would like to meet the following performance requirements: 

— The FSP’s workload, when allowing U access to service, should be 0(1) per 
microcredit transaction. 
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— U's workload, when accessing service through the FSP, should be 0(1) per 
microcredit transaction. 

— The communication complexity between the FSP and IA should be 0(1) per 
microcredit transaction. 

— The HSP’s workload, at billing time, should be much less than the actual 
service used; e.g., logarithmic, O(logt). 

— The FSP’s workload, when interacting with the HSP to provide billing infor- 
mation, should be much less than the actual service used; e.g., logarithmic, 
0(log t). 

— The communication complexity between the HSP and FSP should be much 
less than the amount of service actually used; e.g., logarithmic, O(logt). 

Note that, at billing time, the FSP must at least convey to the HSP the value t 
specifying how much service was used. Since t requires O(logt) bits to represent, 
the above performance requirements are essentially asymptotically optimal. 

Our Contributions. We present a scheme that meets the above design goals. 
Communication complexity between the user and the FSP is between 1 to 2 
hash outputs (20 to 40 bytes if we use SHA-1). The FSP performs one hash 
function computation. At the end, the FSP provides at most [log 2 t\ + 2 hash 
values to the HSP, where t corresponds to the amount of service used by U. To 
achieve the lowest time and communication complexity, the FSP needs to store 
or cache 0(t) hash function outputs. The scheme uses QuasiModo trees which 
were introduced for efficient certificate revocation [4]. Finally, we observe that 
QuasiModo trees yield a micropayment scheme that is a strict improvement over 
other simple tree-based schemes with respect to both communication complexity 
and time complexity (in both cases by a factor of approximately 2, amortized). 

We use the term microcredits to refer to our approach since users generate 
their own tokens, and are billed only after the service is rendered. As a result, 
users are not paying directly, but rather are on credit. Also, in a microcredit 
scheme, other performance parameters, such as the amount of effort required 
to reconcile accounts when the FSP interacts with the HSP after the service is 
rendered, are especially relevant. 

Related Work. While there is extensive work in the area of micropayments, 
a comprehensive literature review is beyond the scope of the present paper; 
however, an excellent survey can be found in the paper of Lipton and Ostro- 
vsky [11]. Instead, we focus on micropayment schemes that are more germane 
to our work. One such family of schemes, as already described above, are those 
based on hash chains [1, 15, 16, 19]. Jutla and Yung’s Pay Tree scheme [9] replaces 
the hash chains with trees. For m coins, a Pay Tree, in its most basic form, is 
an (almost) balanced binary tree with m leaves 1 . For each leaf, a secret random 
value is chosen, and the leaf is assigned a label corresponding to a cryptographic 
hash of that value. Each interior node is assigned a value corresponding to a 

1 For simplicity, one can assume that m is a power of 2 meaning that the tree is strictly 
binary, as was done in [9], but the generalization to non-powers is straightforward. 
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cryptographic hash of the values assigned to its children. A party wishing to use 
the scheme simply generates such a tree and commits to its root by signing it. 
The advantage of Pay Tree is that a single tree can be used for multiple mer- 
chants, where, in one variation, each merchant is constrained to using a given 
set of leaves for payment. 

There is also a great deal of work specifically on the use of micropayment 
techniques within the mobile wireless setting [6,17,20,21,23]. The paper by 
Jakobsson et al. [6] proposes a probabilistic micropayment scheme for encour- 
aging users in a multi-hop network to forward packets. The idea of probabilistic 
payment systems was independently suggested by Rivest [18] and Wheeler [22]; 
the general paradigm of not involving the bank in every transaction was pro- 
posed by Jarecki and Odlyzko [8] who audit transactions probabilistically, though 
the payments themselves are deterministic. The remaining schemes tend to use 
hash chain techniques and variations thereof. Our proposal improves upon these 
chain-based schemes especially when it comes to final billing as the HSP only 
needs to perform 0(Llog 2 fJ + 1) compared with 0(t) work for a naive chain 
based scheme and 0({log 2 mj + 1) for a naive tree-based scheme, where t is the 
number of transactions and m is the number of initial tokens generated. 

Organization. The next section presents our microcredit scheme. Section 3 dis- 
cusses the scheme’s performance and security. The subsequent section describes 
the performance tradeoffs one achieves through variations on QuasiModo trees. 
Finally, section 5 describes various extensions related to probabilistic polling, 
micropayments, and achieving anonymity within a session. 

2 Microcredits Using QuasiModo Trees 

2.1 Preliminaries 

Model and Notation. We have a home service provider HSP, a foreign service 
provider FSP, and a user U. We assume the existence of an open or closed public- 
key infrastructure in which HSP and U have public-private key pairs. For a party 
P £ {FSP, U}, its key pair is denoted (Skp, Pkp) where Skp is the private signing 
key for computing the signature on a message, and Pkp is the public verification 
key corresponding to Skp. Let VS = (KG,Sign,Vf) denote a digital signature 
scheme that is secure against existential forgery under adaptive chosen message 
attack [5]. Here KG denotes the key generation algorithm, Sign(Skp,M) denotes 
the signing algorithm which outputs a signature a on message M under signing 
key Skp (the signing algorithm may be randomized), and Vf(Pkp, M, a) £ {0, 1} 
denotes the verification algorithm which evaluates to 1 if the signature cr on 
message M is correct with respect to the public key Pkp. 

Let {0, 1}* denote the set of all bit strings. Let H denote a cryptographic com- 
pression function that takes as input a 6-bit payload and produces a w-bit output. 
Our constructions require b = 2v which can easily be achieved by padding well 
known constructs. The compression function may also be parameterized by a 'li- 
bit initialization vector or IV, which is fixed and publicly known; for convenience, 
we do not view the IV as an actual input to H so sometimes omit it from the 
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argument list. In our schemes, we may assign a different hash function to each 
user by, for example, setting the IV or some other payload padding to be a func- 
tion of the user’s identity. We assume these cryptographic compression functions 
are collision resistant ; that is, finding two distinct inputs mi 7^ m2 such that 
H(IV, mi) = ff(IV, m2) is difficult. A practical example of a compression func- 
tion is seen in SHA-1 [14]; its output and IV length is 20-bytes and its payload 
is 64-bytes. In practice, the hash functions in our schemes will not operate on 
data larger than the compression function payload size. For simplicity, we use 
the term hash function instead of compression function, where it is understood 
that a hash function takes arbitrary length strings {0, 1}* and produces a fixed 
length output in {0,1 j'". We use the symbol TL to denote such a function. Hash 
functions are assumed to be both one way and collision resistant. Finally, for a 
real number p, \p\ denotes the smallest integer greater than or equal to p and 
[p\ denotes the largest integer less than or equal to p. 

Merkle Trees. One important notion is that of a Merkle tree [13], which 
can be described as follows. We start with A (pseudo) random values x\, ■ . . , x\ 
each of which is in {0, l} n . For simplicity, assume that A is a power of 2. Let 
H : {0, l} 2n — > {0, 1}" be a cryptographic hash function that maps 2n-bit strings 
to n-bit strings. The Merkle tree associated with Xi, . . . ,x\ under hash function 
H is a balanced binary tree in which each node is associated with a specific value 
Value(c). There are A leaves, and for each leaf £j, Valued) = H(xi), 1 < i < A. 
Note that we abuse notation since the x t are in {0, l} n , but the domain of H is 
{0, l} 2ra ; in this case, we assume that H is padded appropriately. For an interior 
vertex v, let Co(v) and Ci(u) denote its left and right children. Let o denote the 
concatenation operation. Then, Value(u) = 7-f(Value(Co(n)) o Value(Ci(u))). 

Merkle trees may be used to digest data in digital signatures, where the 
message blocks are assigned as leaf values and the digest corresponds to the 
value associated with the root. Also, if the underlying compression function is 
collision resistant, then it is hard to find two different sets of starting values 
whose Merkle root value is identical [3, 12]. 

QuasiModo Trees. QuasiModo trees were introduced for certificate revoca- 
tion [4], They ostensibly resemble Merkle trees except that the interior vertices 
are numbered. Our observation is that a subset of the internal nodes can be 
directly utilized in a micropayment scheme. The upshot is an improvement in 
both the time complexity and communication complexity compared to using a 
Merkle tree. We begin with m (pseudo) random values, x ±, . . . , x\ £ {0, 1}". We 
assume, for convenience, that A is a power of 2. The bottom tree layer has A 
only-children vertices. Next, we place a depth k + 1 balanced binary tree on top 
of the bottom layer vertices. We now assign values to the vertices. The bottom 
level A vertices take on the values xi,...,x\ respectively. For the layer that is 
directly on top of the bottom layer, we assign the n-bit value H(xi) to the i th 
such vertex. That is, if (! i is such a vertex, then Value(t')) = H(xi ), for 1 < i < A. 
For the remaining vertices v, Value(u) = 7Y(Value(C 0 (u)) o Value(Ci(u))). Next, 
we color the tree vertices. Any vertex that is a left child or an only child is col- 
ored grey. The remaining nodes (including the root) are colored white. The grey 
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vertices are then numbered top-down from left to right. That is, the number 
one is assigned to the left child of the root. The number two is assigned to the 
left child of the left child of the root. The number three is assigned to the left 
child of the right child of the root, and so on. We refer to the i th grey vertex by 
gv(z). Figure 1 provides an example of a QuasiModo tree that can be used for 
15 microcredit transactions; the tree is compared to a Merkle tree which would 
require approximately 2 times as many vertices to achieve approximately the 
same aim. 




Fig. 1 . On the left is a 23-vertex QuasiModo tree that can be used for 15 microcredit 
transactions; each interior node is assigned a value equal to the hash of its children’s 
values. Each left child is numbered sequentially top-down, left to right. On the right 
is a 23-vertex Merkle tree. The basic part of the tree has 15 vertices; but 8 additional 
implicit vertices hang off the bottom. This tree can only be used for 8 microcredit 
transactions. By using interior vertices, we achieve almost twice as many microcredit 
transactions for the same size tree, yielding an overall efficiency improvement. 



We also use the notion of the co-nodes for a given vertex in either a Merkle or 
QuasiModo tree. For a vertex v, CoNodes(v) is the set of siblings of the vertices 
on the path from v to the root. More formally, if Sib(u) and Parent(u) denote u’s 
sibling and parent respectively, then: 



CoNodes(u) 



0 if v is the root 

{Sib(u)} (J Col\lodes(Parent(u)) otherwise. 



Finally, for a set of co-nodes, we abuse notation by letting Value(CoNodes(u)) 
denote the values associated with the co-nodes of a vertex v. 

Given the co-nodes, we may calculate the root value. Suppose that the value 
associated with gv(z) is v and suppose that the values of the siblings of all the 
vertices on the path from gv(z) to the root vertex are V\, . . . , V(. Then, the root 
value can be calculated as h( where h\ = H(v ovi) and h, = 7i([/ij_i, i>J) where 
[hi, Vi] equals ty o hi if Vi is a left child or hi o Vi if u, is a right child. 
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2.2 Our Microcredit Scheme 

Set Up. During the one-time set-up phase, the following steps are performed: 

1. HSP creates a public / private key pair (Pknsp, Sknsp)- It provides the public 
key (out of band) to each user IA and each foreign service provider FSP with 
which it does business. 

2. Each user U generates a public / private key pair (Pk^.Sk^). It presents 
Pk u to HSP and proves that it knows the corresponding private signing key; 
this step can be accomplished by signing a series of challenge messages or 
by providing a zero-knowledge proof. 

3. If U succesfully convinces HSP that it knows the signing key, and if the user 
is an authorized subscriber of HSP, then HSP first constructs certificate data 
CertData^ = (U, Pk u,d exp ,d issue ,IIu) where d exp and d issue are the date of 
expiration and the date of issuance of the certificate respectively, and IIu is 
a policy specifying information regarding what services are authorized, and 
such information. The date of expiration can either be a numerical date or 
could specify that the certificate is valid for some number of time periods 
from the date of issuance (e.g., 365 days). 

4. HSP computes ou = Sign(SkHSP, CertData^). It provides (au, CertData^) to 
the user U. Note that HSP effectively is the certificate authority in a closed 
public-key infrastructure. 

5. U checks that Vf(Pknsp, CertData^, an) = 1. If so, he accepts; if not, he 
informs HSP. 

Service Usage. To use the service, U and FSP perform the following steps. 

1. IA estimates how much service he wishes to use in terms of the number of 
transactions that will take place. We denote this number by m. This estimate 
does not have to be accurate and the user can always generate additional mi- 
crocredit tokens as we will see. Performance improves with accuracy, though 
the user is better off overestimating rather than underestimating. 

2. U creates a QuasiModo tree with ( m + l)/2 leaves (which correspond to m 
grey vertices). Let r denote the root of the tree. The user computes ay = 
Sign (Skyy , FSP, Value(r)). It sends (Value(r), o>, CertData^, an) to FSP and 
makes an official service request. 

3. FSP examines IIu to ascertain that IA indeed can use the service in question. 
Next, FSP verifies that di ssue < d exp on the certificate data CertData^. 
Finally, it checks if the signatures of HSP and U are valid. If these check out 
correctly, it grants the service request. Otherwise, it follows an appropriate 
policy, like refusing service. Also, if the certificate scheme incorporates some 
revocation mechanism, then the certificate’s status should be checked. The 
process by which that is done is essentially orthogonal to the present scheme. 

4. At each period i, if the user wishes to continue service, it provides FSP with 
the i th microcredit token Value(gv(7)) as well as Value(Sib(gv(*))) (if the 
latter exists). 
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5. FSP computes hv = 7Y(Value(g v(*)) o Value(Sib(gv(i))), if i < (to — l)/2, 
or simply hv = 7Y(Value(gv(i))) otherwise. If i is even, FSP checks if hv = 
Value(gv(i/2)). Otherwise, it checks if hv = Value(Sib(gv((* — l)/2))). Ob- 
serve that FSP can perform these computations since it received Value(gv(i/ 
2)) and Value(Sib(gv((i — l)/2))) at iteration |_i/2j . If these checks succeed, 
FSP accepts LV s token. Otherwise, it rejects the token and applies an appro- 
priate policy, like terminating service, perhaps with some advance warning. 

If U runs out of tokens, he creates another QuasiModo tree, signs the root, 
and provides the relevant information to FSP. This results in an extra signature 
computation and verification, so is not desirable. However, since hashing is much 
less expensive than signing, IA can take precautions by generating a larger number 
of coins, with minimal penalty 2 . 

Bill Reconciliation. To reconcile and appropriately bill U , the following 
steps are taken. 

1. Suppose service ends after t intervals. Then FSP has received Value(gv(t)). 
It transmits (t, Value(r), oy, Value(gv(i)), Value(CoNodes(gv(<))), U) to HSP. 
Note that FSP received the co-node values in earlier iterations. 

2. HSP first determines whether the user was allowed to access the service in 
question, and checks to see that he has a valid certificate. Next, it checks 
that Vf(Pk^, FSP, Value(r), oy) = 1. Finally, HSP computes the root of the 
QuasiModo tree using the co-nodes it received, and it checks that this root 
matches the root value that FSP provided. If these computations check out, 
HSP bills U for t intervals of service from FSP. In theory these checks should 
not fail since HSP is effectively performing the identical steps that FSP per- 
formed earlier. But of course, in practice, something else may go wrong. 
So, should any checks fail, HSP would follow some appropriate policy; for 
example, HSP and FSP may determine what caused the failure. If it was be- 
cause FSP accepted an incorrect token, or failed to perform a computation 
correctly, then FSP may be penalized. 

Dispute Resolution. If there is a billing dispute in the sense that a user 
claims to be billed for more service than was utilized, then both HSP and 
FSP can provide a proof of the correct amount by presenting (i, Value(r), ay, 
Value(gv(t)), Value(Col\lodes(gv(f)))). We later show that if the root value com- 
puted utilizing Value(gv(f)) and Value(Col\lodes(gv(f))) matches Value(r), and 
Vf(Pk?y , Value(r), oy) = 1 then, it either follows that Value(gv(<)) was known to 
FSP or HSP, or that a collision was found in hi. Assuming that hi is collision 
resistant, it must be the case that FSP or HSP received Value(gv(<)). Since this 
value was secretly generated by IA and not revealed previously, it must be the 
case that the user transmitted it. 

2 Observe that one distinct advantage of using QuasiModo trees is that verification 
time is proportional to the logarithm of the grey vertex number. If one were to try 
using regular trees, then the verification time would be proportional to the entire 
height of the tree. The latter will be larger if the user generates many more coins 
than he eventually uses. 
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3 Discussion and Analysis 

Performance. Our microcredit scheme is efficient in terms of both computa- 
tion and communication, especially when Quasimodo trees are used. If U spends 
t microcredits from a single hash tree with FSP during a session, then at the 
end of the session, FSP only needs to store at most [log t J + 2 node values cor- 
responding to the values of the t th grey vertex and its co-nodes, regardless of 
the size of the full hash tree. Similarly, FSP’s transmission of the t th microcredit 
to HS P consumes O(logf) bandwidth, and HSP can verify the microcredit using 
O(logt) computation. With an m-token Merkle trees, FSP would have to store 
1 + log 2 to values. Note that m > t. Moreover, to is an upper bound on the 
number of tokens the user believes he will use. 

Now, we compare the bandwidth consumption of using QuasiModo trees 
versus Merkle trees. For to microcredit tokens, the corresponding QuasiModo 
tree has (3m + l)/2 vertices (since there are ( m + l)/2 leaves and to interior 
nodes); if all tokens are spent, the total number of proof node values transmitted 
is (3m — l)/2 since we do not have to count the root. For m transactions, the 
amortized proof size is 3/2 — 1/2 m hash values per transaction. Assuming caching 
we will always send exactly 2 values for the first ( m — l)/2 transactions and 1 
value for the remaining (?n + l)/2 transactions. For a simple Merkle-tree we 
have 3m — 1 vertices; where 2m — 1 vertices are part of the basic tree, and to 
vertices are attached to the bottom of the tree. Again, ignoring the root value, 
the total number of proof node values transmitted is 3m — 2. Thus, the amortized 
proof size of to transactions is 3— A Therefore, the improvement factor of using 
QuasiModo trees is 2 — 3?? /_ 1 which approaches 2 as to increases. In practice, 
however, the effects may be more pronounced for two reasons. The first is that 
the above improvement factor assumes that all to microcredit tokens are spent. 
Recall, however, that in our scheme the user generates a QuasiModo tree where 
the number of encoded tokens is an upper bound on what he wishes to spend. 
For a QuasiModo tree only one or two values are sent even if this upper bound 
is never reached, whereas for a Merkle-tree based scheme, the penalty is more 
severe since the proof size is related to the tree height. The second reason is that 
Merkle tree proof sizes vary with each iteration - going up to 1 + log 2 to. This 
variance is more likely to increase the packet count and hence the transmission 
time; we discuss this concept in more detail shortly. 

Next, let us compare the time complexity of verifying QuasiModo proofs 
versus Merkle-tree proofs. As we observed, for m tokens either one or two values 
are sent, so we only require a single call to a cryptographic compression function 
to verify it, assuming that FSP caches the hash values it receives. We compute the 
total proof verification time for a Merkle tree as follows. For each of the to vertices 
attached to the bottom of the tree, one compression function call is required. 
Next, for the vertices above the bottom, one compression function call is required 
for each interior node. Since there are to — 1 such nodes, to — 1 compression 
function calls are required. The total number of calls is thus 2 to — 1. So, the 
improvement factor from using QuasiModo trees is 2 — which approaches 2 
as to gets large. 
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A potential drawback of the QuasiModo approach is that FSP has to cache 
many of the hash values IA transmits in order to achieve 0(1) time complexity 
for verification. In the worst case, for a QuasiModo tree with m grey vertices, 
FSP may have to cache (m + l)/2 vertex values (corresponding to the values of 
the vertices one level from the bottom). For reasonable parameters values, this 
might not be a problem. For example, suppose that there are 5,000 users, each 
of whom are simultaneously looking to access 2047-units of service from FSP. 
These numbers are conservative since an FSP might be accessed in a manner that 
is local to a smaller population group, such as via a base station, so the number 
of simultaneous users is unlikely to be 5,000; moreover since 2047 transactions 
at 5-seconcl intervals would provide close to three hours of continuous service, 
it is even less likely that all 5,000 users will want this much service (especially 
in the mobile setting). If we use SHA-1 as the underlying hash function (with 
a 20-byte output), then in the absolute worst case, FSP would have to cache 
(2047 + l)/2 x 5000 x 20 bytes - which is approximately 100MB. This amount 
is negligible (on the order of l/50 t/l of 1%) with respect to the cache size on a 
carrier-grade server, which is usually on the order of several hundred gigabytes. 

Observe that a micropayment or microcredit approach using pure hash chains 
only requires one hash value to be transmitted per microcredit, and only requires 
that FSP store a single hash value and that only a single hash value is transmit- 
ted between FSP and U\ however, FISP’s costs are considerable: its computation 
cost is 0(t) per user. When you consider that a sizeable service provider may 
have millions of users, and when you imagine a situation in which a token is sent 
for every packet transmitted or for every few seconds of service, the resulting 
computation is enormous. Also, we remark that saving 20-bytes of communica- 
tion, as one may sometimes achieve in a chain-based scheme while desirable, in 
theory, is unlikely to lead a direct performance improvement in practice. In par- 
ticular, as observed by [4], communication complexity, in practice, is measured 
by the number of packets transmitted rather than bits transmitted. Consider 
that the average sized TCP packet is 536-bytes (after removing 20-bytes each 
for the TCP and IP packet headers) and packet sizes up to approximately 1500 
bytes (the maximum ethernet packet size) are reasonable especially if some form 
of path maximum transmission unit detection has taken place to ensure that 
the packets will not get fragmented. So, with packet sizes that are much larger 
than 20-bytes, it is likely that one can find a place for the hash value without 
requiring the transmission of any extra packets. 

Security Analysis. We will prove the following two theorems regarding the 
security properties of interest. We assume that adversaries are resource bounded 
and can neither compromise the security of the underlying signature scheme VS 
nor can they find collisions or pre-images in the hash function 7 A, except with 
negligible probability. 

Theorem 1. Assuming that hi is a one-way collision-resistant hash function 
and that VS is a secure signature scheme, FSP will not be able to overcharge the 
user, except with negligible probability. 
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Proof. (Sketch) We first consider the slightly more complex case that U did not 
use all the microcredit tokens it generated. Suppose U used t units of service, 
but FSP tried to pass a charge of t + A. FSP would then need to transmit 

(t + A, Value(r), ay, Value'(gv(t + A)), Value'(CoNodes(gv(t + A))),U) 

to HSP, and have HSP accept it as valid. Assuming that VS is a secure signature 
scheme, it follows that to overcharge the user, FSP must construct its own vertex 
values that may not correspond to actual values computed by U at those vertices. 
Here Value'(gv(t + A)), and Value , (CoNodes(gv(t + A))) denote these spurious 
values. However, HSP uses these values to compute the root and matches it 
against r. Let v = Value , (gv(t + A)) and let r\ , . . . denote the values of the 
co-nodes ordered along the siblings of the vertices on the path from the vertex 
to the root. First note that if i is greater than the depth of the original tree, 
then that implies FSP inverted Pi at a random point, which we assume to be 
infeasible. So, let us suppose t is bounded by the depth of the original tree. 
Now, let ri, . . . , ry denote the actual values corresponding to what U generated 
in the tree. If for all * € {1, . . . , £}, it holds that = r', then it follows that FSP 
correctly computed a pre-image of Pi since U never revealed all the r,. This event 
only happens with negligible probability since Pi is a one-way collision-resistant 
cryptographic hash function. 

So, suppose that the r; and r' are not all equal. In that case, we can show 
that FSP is able to compute a collision in Pi. Now, because the r\ can verified 
as hashing to root, it follows that the root value can be calculated as h' e where 
h[ = 7Y(Value'(gv(t+A)))or , 1 ), and h! i = Pi([h' i _ 1 ,r' i \) for i G {1, . . . , i}. Likewise, 
the same root value can be calculated as he where hi = 7f(Value(gv(t + A)) on), 
and hi = Pi([hi-\,n]). Moreover, because both calculations should yield the 
same committed root value, it follows that he = Value(r) = h' ( . Now since the r-i 
and rl are distinct, but he = h' e , it follows that there is some index j € {1, 
for which /).' = hj, but (hj-i,rj) ^ (h'_ 1 ,r'). In that case, we have a collision 
since by definition 

h j = W([/i''_!,r'-]) 

= W([/ij-i,rj]) 

= h J- 

However, the inputs to Pi are distinct. We have therefore violated the collision- 
resistance property of Pi , which can only happen with negligible probability. In 
the remaining case where IA used up all microcredit tokens, the only mechanism 
for overcharging is to produce a spurious vertex that is one level below the actual 
leaf. The value for such a vertex constitutes a preimage for the leaf value. Since 
the leaf value is picked randomly, it would follow that FSP inverted Pi at a 
random point, which only happens with negligible probability, by one-way-ness. 

Theorem 2. Assuming that Pi is a one-way collision-resistant hash function 
and that VS is a secure signature scheme, U will not be able to use services for 
which he has not otherwise paid, except with negligible probability. 
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Proof. (Sketch) This property is easy to verify since the user must present a 
well-formed token at each interval; any attempt to use more service than is 
paid for would imply that a well-formed microcredit token was not sent at a 
given interval. In such a case, FSP would immediately identify it and follow the 
appropriate policy. 



4 Tradeoffs 

Microcredit size vs. Verification time (for HSP). In a Quasimodo tree, 
the k th microcredit consists of 0(log k) node values and may be verified in 
O(logfc) time; a hash chain has constant size, but requires 0(k) verification 
time. We can find tradeoffs in between by replacing each node in a binary tree 
with a hash chain. If each chain has length £, we get a hybrid Quasimodo / 
hash-chain microcredit scheme, where the size of the k th microcredit is at most 
1 + log {k/t) and the verification time is at most flog {k/t). 

Tree Traversal by the User. One potential shortcoming of QuasiModo 
trees when using breadth-first enumeration of the nodes is that “tree traversal” 
is somewhat expensive for U. At one extreme, U may cache all of the node values 
so that each microcredit is ready to transmit without any recomputation. At the 
other extreme, U may cache no node values; however, in the worst case, comput- 
ing a microcredit requires 0(n) recomputation. In between these extremes, we 
can view the tree as consisting of L = (log n)/h levels, where each level consists 
of subtrees of height h. Instead of enumerating individual nodes breadth-first, 
we may order the subtrees in a breadth-first manner, adjusting the numbering of 
individual nodes accordingly. Such an enumeration allows a 0{h2 h ) : 0(n/2 2h ) 
memory-computation tradeoff. Although this may be reasonable for some values 
(especially for small values of L like 2 or 3) this does not compare favorably with 
the tradeoff elegantly achieved by Jakobsson et al. [7] for traversing Merkle trees 
- namely, f log 2 n/ log log n memory and 2 log n/ log log n computation. 

It turns out that, using QuasiModo trees, one can improve upon Jakobsson 
et al.’s tradeoff. To do this, the nodes of the tree are numbered according to a 
pre-order traversal; that is, the parent is numbered first, then the left descen- 
dants, and then right descendants. The k th microcredit consists of the k th node’s 
children, along with the k th node’s co-nodes. This enumeration retains the ben- 
efit of unit transmission cost for U and unit verification cost for FSP, but it is 
possible that the k th microcredit’s verification path is longer than log k. 

The tree is traversed using essentially the same approach as in [7], except 
that each output requires only one unit of the TREEHASH algorithm for each 
subtree (rather than two units). At a very intuitive level, the reason is that 
QuasiModo trees, unlike Merkle trees, make full use of internal nodes. For a tree 
in which computing the root node value requires n hashes, QuasiModo squeezes 
out n microcredits, while Merkle trees only get • This doubling carries over 

into the traversal algorithm computation, so that QuasiModo requires half the 
computation per microcredit. 
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5 Extensions 

Incorporating Polling. We may incorporate polling into our schemes to 
lower computational effort, at an increased risk of fraud, in two places. First, 
when FSP receives microcredits from IA , it can choose whether to immediately 
verify each token according to some probability (this does not apply to the first 
and last tokens, which should always be verified). If U tries to cheat, then at the 
very least, he will either be caught when the last token is verified, or there will 
at least be some prior valid token that can be used to bill U. If FSP keeps track 
of such user behavior, it can tailor the polling probability dynamically. 

We may also incorporate polling into the bill reconciliation phase. In partic- 
ular, suppose s users have finished accessing the service through FSP. Suppose 
further that the roots on the QuasiModo trees they generate are ri, . . . ,r s , re- 
spectively and that the amount of service they use is ti , . . . , t s , respectively. At 
bill reconciliation time, FSP first sends (Value(rr), t\), . . . , (Value(r s ), t s ) to HSP. 
Next, HSP picks a set of k indices i\, . . . , ik £ {1, . . . , s} and sends these to FSP. 
Finally, FSP transmits 



(ti , Valued ),o- r4 ., Value(gv(ti )), Value(CoNodes(gv(tj ))),Wj), 



for j e {1, . . . , k}. These constitute the values he was prepared to send HSP any- 
way; however because he sent (Value(rr), t\), . . . , (Value(r s ), t s ) in the first phase, 
he committed himself. Now, HSP verifies the transmitted values as he normally 
would. If any of these checks fail, he will request the remainder and possibly 
penalize FSP. If there is later a dispute that arises from one of . . . ,Ui a , it can 
by handled by HSP directly. If, on the other hand, there is a dispute for another 
user, HSP can then request the information regarding that user from FSP. If 
FSP cheated, then it will be caught now since it already committed to rr, . . . , r a . 
On the other hand, if FSP is honest, it will be able to produce the usage proof 
for the other user. 

Micro payments Using QuasiModo. We may directly use QuasiModo trees 
in a micropayment scheme. The advantage of such a scheme over, say, Payword is 
that the computation required by the bank to validate coins sent by a merchant 
is only logarithmic in the number of coins spent, rather than linear. At the same 
time, the communication complexity between the merchant and user is constant, 
as is the time complexity of the work the merchant and user both have to do. 

Paytree Using QuasiModo. Paytree [9] extends Payword [19] to allow a single 
tree and signature to be used for multiple merchants. In one variation, specified 
in the original paper, each leaf of the tree is a PayWord hash chain associated 
with a single merchant. Obviously, we can reduce the bank’s verification time if 
each merchant is, instead, associated with a QuasiModo subtree of the Paytree. 

Customer Anonymity. If U uses a conventional signature scheme, and W s 
public signing key is certified in a normal fashion, then IV s transactions with 
FSP are not anonymous. If we wish to achieve some degree of anonymity between 
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U and FSP, we may do so through the use of group signatures; for example, we 
may use the scheme of [2], which is the current state of the art. Then, each user IA 
registers with HSP, who acts as a group manager, to establish its signing key. We 
may have separate classes of group public keys corresponding to different credit 
levels. When requesting service from FSP, IA signs the root of a hash tree with its 
signing key. FSP can check that IA is indeed in the group managed by HSP, and 
that HSP has given IA sufficient credit; so, it can accept microcredits from IA up 
to that amount. On the other hand, because a group signature scheme is used, 
FSP will not know IA ' s identity. At bill reconciliation time, FSP will, as usual, 
relay IA ’ s signature to HSP, who can then “open” the signature to determine U ' s 
identity and charge the account accordingly. 

If it is really desired, the customer can achieve anonymity even with respect 
to HSP if HSP signs the root value using a blind signature. With such a micro- 
payment scheme, the customer can then give these coins to an FSP without fear 
that HSP and FSP can collude to map transactions to customers. 

However, we stress that in both cases, there is some degree of linkability 
between individual transactions in a given session since all the hash values are 
anchored to the root of the same tree. However, between sessions themselves, 
there is no linkability. 

Variations on QuasiModo Trees. One can imagine slight variations on 
QuasiModo trees. For example, instead of having a binary tree, one can have 
a fc-ary tree. We could not find any meaningful advantage to such an approach 
since the number of co-nodes for a vertex is proportional to the tree degree. 
Thus, for a k - ary tree, the i th grey vertex will have proof size 0(k log fc i). 

Another variation is to apply a different coloring of the vertices. In our case 
we colored every left child, however, we may instead pick a child arbitrarily and 
color it grey, while making its sibling white. One can extend our schemes to this 
setting. 

In a similar vein, we may want to consider a different numbering of the grey 
vertices. For example, if we number vertices depth first rather than breadth first, 
then FSP only has to cache at most 0(log 2 m) values where m is the size of the 
tree. However, the disadvantage of this approach is that the deeper the vertex, 
the longer the associated proof - with the maximum proof size being 0{ log 2 to) 
for a leaf. By numbering breadth first, we may never have to present leaf vertices 
in a microcredit transaction. 
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Abstract. Systems for the support of customer relationship management are be- 
coming increasingly attractive for vendors. Loyalty systems provide an interest- 
ing possibility for vendors in customer relationship management. This holds for 
both real world and online vendors. However, beside some potential benefits of a 
loyalty system, customers may also fear an invasion into their privacy, and may 
thus refuse to participate in such programs. In this paper, we present a privacy- 
friendly loyalty system to be used by online vendors to issue loyalty points. 
The system prevents vendors from exploiting data for the creation of customer 
profiles by providing unconditional unlinkability of loyalty points with regard 
to purchases. In the proposed system, we apply the difficulty for the computa- 
tion of discrete logarithms in a group of prime order to construct a secure and 
privacy-friendly counter. More precisely, all computations are carried out over 
special cryptographic groups based on elliptic curves where the decisional Diffie- 
Hellman problems can be solved easily while the computational Diffie-Hellman 
is believed to be hard. 



1 Introduction 

The World Wide Web has evolved to a business platform with worldwide reach and 
24h/7 service for selling various kinds of goods. Presently, more than 600 millions of 
people have access to this business platform and thus, are potential customers for online 
vendors. Naturally, every online vendor’s interest lies in attracting new customers and 
increasing the base of loyal customers. Since loyal customers create regular revenues, 
the goal of online vendors, as well as real-world vendors, is to turn occasional customers 
into loyal ones. Thus, in the past, online and real-world vendors have introduced loyalty 
programs, e.g., frequent flyer programs or online consumer reward systems. 

Aside from customer retention, another incentive for vendors is to learn more about 
their customers to exploit this information for purposes, such as customer profiling, 
data mining, or direct marketing. Thus, from the customer’s perspective, loyalty pro- 
grams have two sides. On the one hand, customers value the financial benefits, on the 
other hand, they may fear an infringement of their privacy. Hence, if privacy concerns 
outweigh the expected benefits from the loyalty program the vendor’s strategy for at- 
tracting and retaining customers will fail. Thus, if privacy is a barrier for customers to 
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participate in the program, it may be worthwhile for vendors to reconsider their strat- 
egy of collecting personal data. Indeed, according to [18, 22], there are many customers 
that are concerned about their privacy in electronic commerce scenarios. Thus, privacy- 
friendly loyalty systems might be of particular interest to vendors in order to gain a 
competitive advantage. 

In this work, we deal with loyalty systems in which customers receive points from 
vendors for their purchases. Points can be redeemed at the vendor’s in exchange for a 
reward. Usually, a reward can be obtained when a customer has reached a pre-defined 
number of loyalty points. 

In order to enhance privacy for the customers, the vendor must not be able to gener- 
ate consumer profiles by linking customers’ transactions through the loyalty program. 
Thus, it is our goal to prevent the vendor from using loyalty points to link any two cus- 
tomer transactions. Hence, when points are handed in by the customer, it is not possible 
for the vendor to determine the purchases in which the points were obtained. Of course 
this is only meaningful if there is no other linking information available to the vendor 
outside the loyalty system. In addition to unlinkability of points to transactions, there 
are security requirements with respect to unforgeability of points and preventing that 
the same points are redeemed more than once. 

The privacy-friendly loyalty system presented here uses an efficient variant of blind 
signatures which are based on discrete logarithms in groups of prime order. All compu- 
tations are done in special cryptographic groups based on elliptic curves that allow to 
decide easily whether three given group elements form a Diffie-Hellman triple, while 
both the computational Diffie-Hellman and the Discrete Logarithm problem are con- 
ceivably intractable [19,20]. We propose a counter-based solution in which multipli- 
cations in the elliptic curve are iteratively applied for each loyalty point that is issued. 
As it turns out, this yields more efficient solutions than with straightforward applica- 
tion of blind signatures (called token-based system), yet it also entangles the design and 
security analysis. Furthermore, in contrast to such a token-based system, the proposed 
counter-based system prevents different customers from pooling their loyalty points 
since values of different counters cannot be added up. In the redeem transaction, the 
counter which represents the loyalty points collected by a customer can be efficiently 
verified in one step by the vendor. The proposed loyalty system provides unconditional 
unlinkability of loyalty points with regard to purchases. 

The paper is organized as follows. Section 2 gives some background on loyalty 
systems. In section 3 we define essential privacy and security requirements for loyalty 
systems. Section 4 provides necessary background on elliptic curves and proposes the 
protocols of our loyalty system. In section 5, we consider the properties of the proposed 
system. Related work is discussed in section 6, before we draw some conclusions. 



2 Loyalty Programs 

A loyalty program is a structured marketing effort which rewards, and therefore en- 
courages, loyal behaviour of customers, which is hopefully beneficial to the vendor 
[28]. We say that a customer is loyal if she has a strong attitude to a certain vendor 
over its competitors. The motivation of vendors for adopting a loyalty program is, in 
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general, twofold. First, vendors want to retain present customers and stimulate repeated 
purchase behaviour which would guarantee regular future earnings. And second, they 
want to learn more about their customers in order to refine their business strategy. 

In general, the basic conditions for loyal customer behaviour in the real world are 
different from the electronic world [26]. Connecting to a vendor’s site is as easy as 
connecting to its competitor’s site. This is in contrast to the real world where barriers 
exist, such as geographical distance or an existing inter-personal relationship between 
customer and shop personnel, that may prevent customers from instantly switching ven- 
dors. Thus, online vendors must be even more interested in loyalty programs than their 
real-world counterparts. 

There are different types of loyalty programs, e.g., reward systems and virtual com- 
munities. Reward systems give program members a financial incentive. They can be 
classified according to the time the reward is given relative to the purchase. There are 
immediate reward systems, e.g., price promotions or rebates through membership credit 
cards, and delayed reward systems, e.g., point collecting programs like frequent flyer 
miles or ’’buy 10 get one free”. Virtual communities focus on social and service aspects, 
e.g., online discussion panels on product related problems. 

There are some variants for point-based loyalty programs. The number of points 
awarded to the customer may depend on the monetary value of a purchase, e.g., one 
point for each Euro spent, or it may depend on specific types of products, e.g., af- 
ter having bought 10 mp3 files one can download one for free. Furthermore, we can 
categorize point programs according to the way points are collected. In a token-based 
approach, for each awarded point a token is issued, e.g., chips issued by a supermarket, 
while in a counter-based approach the number of points to be obtained is added to the 
current point balance, e.g., frequent flyer miles. 

Members of loyalty programs have a greater propensity to be loyal to the vendor and 
also have an increased usage frequency compared to non-members [28]. Furthermore, it 
can be assumed that members are less willing to try offers of competing vendors, even 
when negative experiences with the vendor occur since these effects are moderated by 
the loyalty program membership [5], According to [14], loyalty program members are 
also less price sensitive, spend more money and are more likely to pass on positive 
recommendations than non-members. 

The customer information gathered in loyalty programs can be used by the vendor 
for direct marketing, data mining, and customer profiling in order to promote products, 
infer new customer data, and optimize their range of products, respectively. This means 
that vendors have a large consumer database where they record every single transaction 
of their customers. Thus, common loyalty programs do not look so bright anymore 
from the customer’s perspective since they may see this monitoring as an invasion to 
their privacy. In this context, customers may fear losing control over their personal data, 
since vendors may disclose their data to other parties. Clearly, customer loyalty strongly 
depends on the customers’ trust in the vendor. Thus, if customers are convinced that they 
participate in a privacy-friendly loyalty program their loyalty may even increase. In this 
paper, we propose a point-based loyalty system which may lead to increased customer 
loyalty due to enhanced privacy. 
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3 Requirements 

When designing electronic loyalty systems, both customers’ and vendors’ interests need 
to be taken into account. There are requirements such as customer privacy and security 
regarding the unforgeability of loyalty points that must be considered. In the following, 
we describe requirements that a loyalty system must fulfill. 

Privacy. Customers have the fundamental requirement to protect their privacy. In our 
context, this means that it should not be possible for the vendor to create customer 
profiles from the awarding and redeeming processes of loyalty points. More precisely, it 
should not be possible for the vendor to link any two customer transactions by means of 
the loyalty system. This includes both awarding or redeeming transactions. This means, 
given a redeeming transaction, the vendor should be prevented from linking it to the 
corresponding awarding transactions and to other redeeming transactions of the same 
customer. And likewise, given an awarding transaction, the vendor cannot link it to 
awarding and redeeming transactions of the same customer. Note that we focus only 
on the loyalty systems’ properties that are necessary to achieve unlinkability. Clearly, 
linkability may be possible outside the loyalty system. However, preventing this is out of 
scope of this work. In order to achieve unlinkability for electronic purchases in general, 
additional technologies have to be used, e.g., unlinkability of search and order phases 
proposed in [16], payment systems that allow the customer to remain anonymous with 
respect to the vendor [12,9], anonymity networks as in [11,27], or privacy-friendly 
delivery in case of hard goods similar to the approach proposed in [15]. 

Security. The security requirements considered here can be summarized as system in- 
tegrity. The property of system integrity in the context of a point-based loyalty system 
means that no other party beside the vendor should be able to create valid loyalty points. 
We have several aspects of system integrity that need to be considered. 

Unforgeability. Loyalty points may only be created by the vendor himself, i.e., cus- 
tomers should not be able to produce them. At the very least, the vendor should be able 
to tell false points from genuine ones. 

Double-spending detection. In contrast to real-world loyalty points, their electronic 
counterparts can be easily copied and are indistinguishable. As a consequence, par- 
ties may try to hand-in copies of loyalty points at the vendor’s. Thus, we require that it 
must be detectable whether loyalty points have been spent before. 

Pooling prevention. In general, vendors do not want different customers to pool their 
loyalty points in order to jointly achieve the redeem threshold. Thus, the loyalty system 
should prevent successful pooling, e.g., it should be impossible for two users to trans- 
form their individual counter values of, say, 5 into a joint counter of 10. Note that this 
does not address the problem of colluding customers sharing a counter; the latter cannot 
be prevented in systems with perfect privacy. 

4 Construction of the Loyalty System 

In this section, we present the counter-based loyalty system. Before presenting the pro- 
tocols, we introduce the specific type of elliptic curves our scheme relies on and some 
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important facts. Using these curves allows customers in our construction to verify the 
validity of issued loyalty points as will become clear later. 

4.1 Elliptic Curves 

Elliptic curves provide an alternative to well-known groups based on modular arith- 
metic over the integers. Compared to cryptographic operations like RSA over 1,* N or 
Diffie-Hellman over Z* elliptic curves usually offer smaller key sizes at a comparable 
security level. Nonetheless, our motivation for basing our protocol on elliptic curves 
stems from a recently discovered property of some of these curves. Namely, we de- 
ploy special elliptic curves for which the computational Diffie-Hellman problem (given 
g,g a ,g b determine g ab ) is believed to be intractable, whereas the decisional Diffie- 
Hellman problem (given g,g a ,g b ,g c decide if g c = g ab ) is known to be easy 1 . Such 
elliptic curves have been suggested only recently [19, 20] but have immediately gained 
a lot of attention because of their usefulness for the design of cryptographic protocols, 
e.g., [6,7,4, 13]. 

The decision procedure for elliptic curves separating the computational and the de- 
cisional Diffie-Hellman problem is usually based on the so-called Weil or Tate pairing. 
These pairings can be carried out efficiently and allow to decide whether a given tuple 
constitutes a correct DH triple or not. We omit further technical details as they are ir- 
relevant for the conceptual design of our loyalty system here. Nonetheless, we remark 
that such curves have already been investigated quite well, in particular with respect to 

- appropriate choices of such groups in light of efficiency and security (note that the 
computational DH problem must still be intractable for the group) [20, 7]; 

- fast computation of the pairing functions [6, 1, 17], i.e., fast verification of putative 
DH triples (c/ a , g b , g c )\ 

- hashing into the curve [7]; that is, how to define a hash function H mapping bit 
strings to the group. 

Since we merely apply these properties we refer to these works for details. For an 
introduction to elliptic curves see [25]. 

4.2 Protocols 

The loyalty scheme consists of two protocols, the issue and redeem protocol. Both pro- 
tocols involve two parties, the vendor and the customer. The goal of our construction is 
to achieve the unlinkability of issue and redeem and also the unlinkability of any two 
issue transactions and any two redeem transactions. 

Initialization. The system is set up as follows. The vendor chooses an appropriate el- 
liptic curve for which the decisional Diffie-Hellman problem can be decided efficiently 
but for which the computational Diffie-Hellman problem is presumably hard. The order 
of the group should be a sufficiently large prime q for which we will later specify an- 
other condition, namely, that q — 1 does not have small prime factors (see Section 5.3). 
Let g be a generator of this curve. From now on, unless otherwise noted, it is understood 
that all computations are done in the curve. 

1 We use the multiplicative notation for the elliptic curve generated by g. 
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Customer Vendor 

choose s §„ choose v Z* 

compute Co := H(s) - - publish g, V := g v 

Fig. 1. Initialization 



The vendor randomly selects a value seZ* and computes V = g” . He publishes 
(g, V ) (and a description of the curve) as his public key and keeps v private. The cus- 
tomer chooses a random serial number s from some finite set S„. This serial number 
will act as an identifier for her future loyalty points, and serial numbers should be cho- 
sen such that collisions do not occur. After that, the customer binds to s by computing 
her initial counter Co := H(s), where H is some cryptographic hash function mapping 
to the group. This hash function should be specified and published by the vendor, too. 
The initialization process is depicted in Figure 1 . 

Issue. When the customer is to be credited with a loyalty point, she randomly chooses 
Ti from Z q . Then, she blinds her current countervalue c,_i by computing bi := Ci-\g ri 
and sends bi to the vendor. The vendor raises bi to the v-th power and returns the re- 
sult. Next, the customer computes the unblinding factor V~ ri and subsequently derives 
b\ ’V~ ri = cV_ v After that, the customer verifies that the vendor has sent a correct value. 
To do so she checks whether (c,_i, V. c^_ , ) is a valid DH triple by running the efficient 
test for the curve. Note that, in general, this validity test is intractable for groups like 
Z*. If the verification here succeeds then the customer sets Ci := c\_ x and stores (i. Ci). 
The issue protocol is shown in Figure 2. 

Customer Vendor 

choose ri £r Jj q \ 
compute bi := a-\g ri \ 

compute unblinding factor V~ r '\ 
unblind 6“ 

b V iV~ ri = c V i_ ig riV V- ri 



verify (c,_i , V, c“_i) DH triple?; 
set d := Ci_i; 

Fig. 2. Issue protocol in the customer’s i-th purchase 



b? 



compute 



Redeem. If the customer has reached some redeeming threshold, i.e., has gathered 
enough points to hand them in for a reward, she may execute the redeem protocol shown 
in Figure 3. There, the customer sends her serial number s, the number of collected 
loyalty points n, and the counter value c n . The vendor validates this triple by checking 
that c n is in fact Cq for cq = H (s). 
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In order to prevent customers from redeeming the same counter more than once, 
the vendor checks if s is already stored in his database of redeemed serial numbers. If 
this is not the case the vendor stores the new serial number s — alternatively, the serial 
number’s hash value H(s ) may be stored and checked, respectively. Eventually, if all 
checks are completed successfully the vendor sends the reward to the customer. 



Customer Vendor 

(s,n,c n ) 

verify c„ = H(s) v 

s not yet stored in database?; 

grant reward if verification successful; 

Fig. 3 . Redeem protocol 



Note that if the serial numbers would be used directly, i.e., without applying the 
hash function or some similar measure, then the vendor might be easily tricked into 
accepting a forged counter. Specifically, given two correct counter values c n = s v , 
c' n = (s') v for some n it is easy to derive a third counter c n c' n = (ss') v for serial 
number ss'. 

5 Properties 

5.1 Privacy 

Privacy of the customer follows easily from the fact that the element h, in the issue 
protocol is uniformly and independently distributed since the values of r, are chosen 
independently. This also holds if the vendor knows the serial number s and all data 
derived from s like co = H (s), ci = Cq, etc. This means that any two issue transactions 
cannot be linked by the vendor provided that there is no additional information that can 
be used for linking purposes. The same holds for the linkability of issue and redeem 
transactions. No execution of the issue protocol can be assigned to a specific customer 
then, even after revealing (s, n, c n ) in the redeem protocol and even if the vendor has 
unlimited computational power. 

5.2 Security 

To claim security properties of our loyalty system we first have to specify the attack sce- 
nario and successful attacks. Afterwards, we show that our system achieves the desired 
properties. 

We remark that the vendor in our system can easily thwart double spending by 
keeping track of used serial numbers s and by rejecting claims for previously submitted 
ones. As for the unforgeability and pooling prevention we prove security of our scheme 
based on the intractability of a new problem, called the incremental Diffie-Hellman 
(iDH) problem. This problem is related to the classical Diffie-Hellman problem as well 
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as to the previously proposed one-more RSA and one-more Discrete Logarithm prob- 
lems for proving Chaum’s blind signature and its discrete-log variant to be secure [2, 4]. 
Although we were unable to reduce some standard cryptographic problem to this new 
problem, our reduction enables us to investigate the security of our system by consider- 
ing a pure mathematical problem and hiding the details of the protocol. Indeed, we will 
also provide some discussion about the hardness of the iDH problem below. 

Attack Model. The attack model is as follows. We assume that the adversary controls 
several customers and coordinates their activities. Note that this covers “less malicious” 
cases where, say, some adversarial users act individually. The adversary is allowed to 
run issue protocols with the honest vendor and finally engages in a redeem protocol 
execution. The goal of the adversary is to claim more points than issued in total to these 
users. 

There is a subtlety in the formalization of the adversary “redeeming more points 
than issued”. Recall the example of two users both having already 5 individual points 
and then trying to combine their points to a joint counter value of 10. In this case 10 
points have already been issued indeed. Hence, the two adversarial users actually do not 
redeem more points than earned before, yet they illicitly pool them. The definition of 
pooling prevention should capture such misbehavior. We therefore augment the attack 
model by so-called scheduled users in addition to the controlled users. 

A scheduled user is basically an autonomous customer following the protocol hon- 
estly. The adversary merely schedules the actions of this user, i.e., determines when this 
user runs the initialization or issue protocol. More precisely, the adversary can perform 
three operations with scheduled users. First, the adversary can create a new scheduled 
user during the attack. This new user immediately follows the prescribed initialization 
protocol, i.e., chooses a serial number s and computes c ( j := H(s). The user goes idle 
until the adversary wakes him up again. Second, the adversary may call a scheduled user 
and ask him to step the counter. In this case the user runs the issue protocol with his 
current counter value and returns to an idle state again. We assume that the scheduled 
user also stores the intermediate values in addition to the current counter value (i.e., 
previous blinding and counter values) 2 . Third, at any time the adversary may corrupt 
a scheduled customer which then becomes a controlled user; the adversary gets all the 
previously stored information and the current counter value, and from now on coordi- 
nates all the user’s activities. Note that the adversary still controls the set of corrupted 
users in addition to such scheduled customers. 

We count the issued points as follows. For each scheduled user we individually 
count the number of issue protocol invocations for this user (until the user becomes 
corrupted or the attack ends). If a controlled customer starts an issue execution then we 
increment the adversary’s global count instead. By this, we have an individual number 
n cust of invocations for each customer cust (possibly n cust = 0 if the customer has been 
corrupted right away or has never run the issue protocol), and a global number n a( j v 

2 Usually, honest users are supposed to delete such information. However, reliable erasure is in 
general hard to achieve and the adversary may later be able to recover the values from the 
user’s hard disk. Thus, a conservative approach is to presume that the user in fact saves the 
values explicitly. 
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of invocations with fully controlled customers. We now say that the adversary breaks 
the system if the adversary successfully claims strictly more than n a dv + max{n cus t} 
points for some user, where the maximum is over all customers cust appearing during 
the attack. 

Note that the lower bound itself, n a dv + max{n cust }, can trivially be reached by any 
adversary scheduling a customer max{n CU st} times and then corrupting the customer 
(thereby taking over its counter) and performing n a d v subsequent runs of the issue proto- 
col by herself (using the corrupted customer’s counter as her starting counter). Claiming 
more than n a d v + max{n cus t} points captures the cases where (a) the adversary manages 
to add at least one additonal point that was not issued by the vendor to some counter, 
(b) two or more customers manage to pool their counters, or (c) a combination of both. 

In how far do scheduled users reflect pooling attacks? In the example of two cus- 
tomers merging their counter values of 5, one may think of these users as scheduled 
users. The adversary then corrupts them and tries to redeem 10 points. In this simple 
attack we have max{n CU st} = 5 and n a d V = 0 and, according to the definition, the ad- 
versary breaks the system if she manages to redeem 6 or more points for some user (by 
pooling both counter values, yielding 10 points, or by increasing the counter by at least 
one point using some other means). 

The Incremental Diffie-Hellman Problem. The incremental Diffie-Hellman problem 
is to find n > 1 and g v for given group elements g and V = g v (where v is un- 
known). To facilitate the task one is allowed to query a special Diffie-Hellman oracle 
DH 9 v ('j computing X v for inputs X. Yet, the condition is that the oracle can only be 
queried at most n — 1 times, e.g., to compute from g, g v one may make a single call 
to the oracle. Specifically: 

Definition 1 (incremental Diffie-Hellman problem). Let g be a generator of a group 
of prime order q and V = g v be a random element in this group. Given g, V and access 
to an oracle DH Si y(X) = X v the incremental Diffie-Hellman (iDH) problem is to 
come up with an element Z and an integer 1 < n < ordz* (v) — 1 such that 

z = 9 ° n+1 

and such that the oracle DH 3i y (•) has been queried at most n — 1 times. 

The upper bound on the integer n rules out trivial solutions. Else, Z := V would for 
example be a correct claim for any multiple n of the order ordz* (v) of v in Z* because 

g v " A ' = g v = Z. For our scheme we therefore choose a sufficiently large order for v; 
see Section 5.3 for details. 

Unforgeability and Pooling Prevention. The incremental Diffie-Hellman problem re- 
duces to the security of our scheme in the random oracle model. To show this we present 
an iDH algorithm that uses a successful forger for our loyalty system as a subroutine. In 
order to use the forger in this way, the iDH algorithm will set up a “virtual” environment 
for the forger by impersonating the vendor and inserting the input for the iDH problem. 
As the experiment looks like a real interaction with the vendor from the forger’s per- 
spective, the forger will claim more points than issued in the experiment if she would do 
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so in an actual attack. But any solution in the experiment will immediately give a solu- 
tion for the iDH problem. We conclude that each forger for our protocol must implicitly 
solve the iDH problem. 

In the experiment we will model the hash function H mapping serial numbers to 
group elements as a so-called random oracle [3], That is, we assume that H acts as a 
random function: it maps inputs to uniformly and independently distributed group ele- 
ments, repeating answers for previously queried inputs. Note that the idealized random 
oracle model merely provides some heuristic evidence that the scheme is indeed secure; 
refer to [10] for a discussion. Therefore, in Section 5.3 we also present a modification 
which completely forges random oracles but which essentially preserves the efficiency 
(with only a negligible loss in the initialization protocol). 

We next specify the construction of the iDH algorithm from an arbitrary forger. For 
this, the iDH algorithm first tries to guess the maximum TV cust := max{n cus t} of issued 
points for scheduled users in the upcoming experiment. This value is usually bounded 
by a parameter TV representing the system’s maximum of redeem points. Instructively, 
think of TV as 10 or 1, 000. 

To guess iVcust = max{n cus t} the iDH algorithm picks a uniformly distributed value 
between 0 and TV. The forger’s view in the following simulation is independent of this 
choice, and the iDH algorithm thus hits the right value with probability 1 / (TV + 1). If, 
on the other hand, the guess later turns out to be incorrect the iDH solver will stop with 
failure instead. The overall success probability of the iDH algorithm therefore decreases 
by a factor of 1/(TV + 1) compared to the forger. From now on, we condition on the 
event that the iDH algorithm selects the correct TV cust . 

We describe the simulation of the forger. The iDH algorithm is given g and V and 
access to the oracle, and has predicted TV cust . It first computes g y2 , g 1,3 , . . . , gV Nmst+1 by 
iteratively querying the oracle, starting with V. This can be done with TV cust queries. It 
next starts the simulation of the forger by providing g, V as the public key of the vendor. 
The emulation proceeds as follows: 

- Whenever the forger queries the hash function H about some serial number s, i.e., 
adds another controlled user to the system, then the iDH algorithm chooses w s £ 
Z q at random and returns V Wa (or returns the previously given answer if this serial 
number has been queried before). 

- If the forger initiates the issue protocol for a controlled user and submits a value b 
to the virtual vendor then the iDH algorithm calls the DH oracle to derive b v and 
answers on behalf of the vendor with this value. 

- If the forger adds another scheduled user to the system then the iDH algorithm 
chooses a number s and sets H(s) := V w “ for a random value w s £ Z q (or 
returns the previously given answer if this serial number has appeared before). The 
iDH algorithm from now on impersonates this scheduled user with values s and 
co = H(s) = V Ws = g w °\ 

- If the forger asks a scheduled user to step the counter then the iDH solver fetches 
the current counter value Cj_i = g WaV and runs a simulation of the issue protocol: 

• Take g v from the pre-computed list of powers. Note that, by assumption, i 
does not exceed the correct guess TV cust and therefore g v%+1 must be in this list. 

• On behalf of the customer select £ Z q at random and compute 6; := Ci-ig ri . 
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• On behalf of the vendor compute V ri and (g v * +1 ) Ws and reply with 

b v = V n( g v i+1 jw s = yn^ 

Store Ci = g"'" v ' + ' and r, in the name of the customer. Note that all the val- 
ues, including c t and r, , are distributed identically to an execution between a 
scheduled user and the vendor in an actual attack. 

- If the forger corrupts a scheduled user the iDH algorithm hands over all the previ- 
ously stored values on behalf of this customer and stops impersonating this user. 

When the forger finally redeems a counter value Z and n > 1 for some serial number s 
then the iDH algorithm computes ru" 1 mod q and outputs Z“’« and n and stops 3 . 

Note that the answers of the iDH algorithm are identical to those of the genuine 
vendor and the simulated hash function evaluation yields uniformly distributed values 
like the random oracle. This means that the view of any forger in the experiment is the 
same as in an actual attack, and if the forger is able to redeem more points in reality 
then she succeeds in the simulation with the same probability (under the condition that 
the iDH solver has guessed N casl in advance). 

Finally, it remains to be shown that the construction above turns any forgery in 
the experiment into a solution to the iDH problem. For this note that, for a successful 
redemption, 




Furthermore, n > max{n cust } + n a dv which implies 



n > max{n cust } + n a dv + 1 



Since the iDH algorithm has queried its oracle exactly max{n cust } + n a d v times this 
means that Z w » and n constitute a valid solution to the iDH problem. Therefore, we 
have presented an algorithm solving the iDH problem whenever the forger succeeds 
and the initial guess is right. 

As for the exact security of our loyalty system we note that, according to com- 
mon practice, the running time of the attacker comprises her own steps and the ones 
of honest parties during the attack. But then the running time of the derived algorithm 
iDH differs only marginally from the one of the attacker, i.e., the iDH algorithm initially 
computes the powers g v via the oracle and also performs some additional computations 
when simulating answers of the vendor. Our reduction hence shows that if the adversary 
breaks the loyalty system in t steps with probability e, then there is an algorithm solving 
the iDH problem in time t' ss t and with probability ]y^t( £ — |). 

On the Hardness of the iDH Problem. It remains to argue the intractability of the 
iDH problem. We are not aware of any reduction from well-established problems like 
the Discrete Logarithm problem or the canonical Diffie-Hellman problem. Still, we 

3 There is a very small probability that w s = 0 which has no inverse in Z q , or that the forger 
successfully claims a counter value for a number s that has not been passed to the hash function 
before. However, both probabilities are equal to 1/q and we thus neglect them for the analysis. 
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give a brief discussion about the intractability of the iDH problem and its relationship 
to similar problems. 

The algorithm’s task is to find some n > 1 and g v " after having made at most 
n — 1 calls to the oracle. Under the condition that the algorithm never queries the oracle 
the canonical Diffie-Hellman problem can be reduced to this problem and our problem 
is hence believed to be infeasible. Namely, without the help of the oracle the algorithm 
computes a variant of the Diffie-Hellman function, g v i— > g v for unknown v and some 
n > 1. This function, however, has the same power as the classical DH function for n’s 
of order 0(y/Togq), refer to [24,21]. 

As for the power of the oracle queries, note that the iDH problem is related to an- 
other problem from computational complexity. Namely, it is believed that computation 
of powers V 2 requires n sequential squarings and that there is no efficient improve- 
ment allowing a faster parallel computation. This problem has been applied in cryptog- 
raphy before to derive protocols with critical time release properties [8], 

In our case the constant 2 in the computation of V 2 is replaced by the unknown 
value v, even hampering the task. Hence any successful iDH algorithm that, in addition 
to the oracle calls, only performs operations which are independent of the input would 
give rise to a new algorithm deriving powers V v with less than n exponentiations 
(using some preprocessing). 

In conclusion, we cannot prove that the iDH problem is as hard as, say, the compu- 
tational Diffie-Hellman problem. However, the discussion above indicates that straight- 
forward algorithms for the problem do not work and that more sophisticated algorithms 
would be required to solve the problem — if it can be solved efficiently at all. 

5.3 Efficiency and Implementation Issues 

To implement the protocol one has to pick an appropriate elliptic curve with a pairing 
function and define a hash function mapping strings to random group elements. We refer 
to [20, 6, 7, 1, 17] for such choices. Indeed, it is not hard to see that we can eliminate the 
hash function (and the random oracle model in the security proof) if we let the vendor 
choose a random value Co for the customer in an initialization step. The unforgeability 
now follows from the hardness of the iDH problem alone. 

The variant with the vendor choosing the serial number can also avoid accidental 
collisions which may happen when customers select the serial numbers, even if the col- 
lision probability is very small. Unfortunately, this variant has some drawbacks as well. 
First, it requires an additional interaction to get a new serial number for initializing a 
new counter. Second, requesting a serial number might be correlated with a purchase/ 
issue transaction. This may allow the vendor to link the redeem transaction with the 
counter’s first issue transaction. Furthermore, in this variant the vendor learns that no 
issue transaction prior to the creation of the serial number is related to the user. In sum- 
mary, the creation of serial numbers by the vendor has some disadvantages regarding 
privacy. Another drawback is that a malicious customer could repeatedly request serial 
numbers from the vendor without really using them. Since each serial number can only 
be issued once, this may lead to an unnecessary waste of serial numbers. 

Recall that we also require the order of the vendor’s secret v in the multiplicative 
group Z* to be quite large. This can be accomplished by letting q 1 have only large 
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prime factors. Specifically, for q ss 2 160 it suffices to let q - 1 consist only of prime 
factors larger than 40 bits. Then any element v ^ 1 has order at least 2 40 in Z* which 

„ n + i.ord z « (v) 

is sufficient for all practical purposes. Since g v = g v q for any i > 0, an 
adversary may claim higher counter values n + i ■ ord^. (r;) instead of n. But this 
can be tackled by defining a maximum counter value which is obviously smaller than 
orclz*(u), i.e., larger counter values will not be accepted in the redeem protocol. The 
vendor may publish this bound on the maximum number of points as part of the system 
parameters. 

We address the vendor’s effort for the verification in the redeem protocol. Note that 
the vendor first calculates w v n mod q over Z* and then H (s) w in the elliptic curve 
and finally compares it with the given c n . Altogether these are only two exponentiations, 
and thus improves efficiency over the verification of n blind signatures in the token- 
based case. To decrease this effort further the vendor can also pre-compute and store 
powers of the universal value v, especially if all customers are likely to claim points for 
a fixed value, like n = 10. Verification of a claim then essentially boils down to a single 
exponentiation. 

The proposed solution has an efficiency drawback in a model that allows customers 
to be issued more than one loyalty point in one purchase. If a customer should obtain 
m > 1 points in one purchase, the issue protocol has to be carried out m times. 

6 Related Work 

Much work has been done by economic and marketing experts in the field of loyalty 
systems, e.g., see [5,28, 14], Furthermore, there has been lots of work stressing the 
importance of privacy for electronic commerce, e.g., see [18]. A common goal of pro- 
posals for privacy enhancing systems in the area of electronic commerce is to prevent 
certain parties from linking activities of the same customer. In typical commercial rela- 
tionships, there are many possibilities to link customer transactions. For instance, in the 
area of payment systems, the unlinkability of widthdrawal and desposit has been con- 
sidered [12, 9]. In [16], a solution to establish the unlinkability of the customer’s search 
and order phases has been proposed. In this context, we provide a solution to guarantee 
that unlinkability achieved by other techniques still holds when using a loyalty system. 

Other work regarding technical proposals for loyalty systems can be found in [23]. 
In this work, an infrastructure based on smart cards is proposed which allows individu- 
als to introduce their own currencies or loyalty systems. However, they do not deal with 
the problem of achieving privacy in loyalty systems. Another proposal for a loyalty sys- 
tem was presented in [29]. In this work, the authors respect the privacy aspect. However, 
the goal of the system was not to provide unlinkability of transactions. The solution is 
based on pseudonymity, and thus provides a weaker form of privacy protection. 

7 Conclusion 

We have presented a privacy-friendly loyalty systems that does not allow vendors to link 
customers’ transactions. The presented approach basically consists of a counter for loy- 
alty points secure against forging and linking of transactions. The counter is increased 
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in a blind signatures protocol exploiting the problem to compute discrete logarithms in 
groups of prime order. In the redeem phase, the counter can be verified efficiently in 
one step, regardless of the number of loyalty points that have been collected. Loyalty 
systems can provide an important strategy for vendors’ customer relationship manage- 
ment to retain customers and to increase the incentive for repeated buying. The privacy 
property of our proposal may attract customers that usually refuse to become members 
of a loyalty program since they fear infringements of their privacy. 
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Abstract. Pinkas and Sander’s (2002) login protocol protects against 
online guessing attacks by employing human-in-the-loop techniques (also 
known as Reverse Turing Tests or RTTs). We first note that this, and 
other protocols involving RTTs, are susceptible to minor variations of 
well-known middle-person attacks, and suggest techniques to address 
such attacks. We then present complementary modifications in what we 
call a history-based protocol with RTT’s. Preliminary analysis indicates 
that the new protocol offer opportunities for improved security, improved 
user-friendliness (fewer RTTs to legitimate users), and greater flexibility 
(e.g. in customizing protocol parameters to particular situations). 



1 Introduction 

Recent interest has arisen in tests which distinguish humans from computers, and 
in using such tests to ensure human involvement in a wide range of computer- 
based interactions. The idea is to find simple tasks which are relatively easily 
performed by a human, but which appear difficult or infeasible for automated 
programs to carry out - for example, visually recognizing distorted words. Mech- 
anisms involving such tests have been referred to as human-in-the-loop protocols, 
mandatory human participation schemes , and Reverse Turing Tests (RTTs) [19, 
5,22], 

One specific purpose for which RTT challenges have been proposed is pro- 
tecting web sites against access by automated scripts. RTTs are currently being 
used to protect against database queries to domain registries, to prevent sites 
from being indexed by search engines, and to prevent “bots” from signing up for 
enormous numbers of free email accounts [5] . They have also been proposed for 
preventing more creative attacks [4] . 

Our main interest in RTTs is their use to protect web servers against online 
password guessing attacks (e.g. online dictionary attacks). The idea is that auto- 
mated attack programs will fail the RTT challenges. A specific instance of such 
a protocol was recently proposed by Pinkas and Sander [20] (see §3). While this 
protocol appears to be quite simple, closer inspection reveals it to be surprisingly 
subtle and well-crafted. Simpler techniques preventing online dictionary attacks 
are not always applicable. For example, account lock-out after a small number 
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Fig. 1 . RTT Relay Attack 



of failed password attempts may result in unacceptable side effects, such as in- 
creased customer service costs for additional telephone support related to locked 
accounts, and new denial of service vectors via intentional lock-out of other users 
[24] . Another standard approach is to use successively longer delays as the num- 
ber of successive invalid password attempts on a single account increases. This 
may lead to similarly unacceptable side effects. 

In this paper, we begin by noting that many RTT-basecl protocols, including 
that of Pinkas and Sander, are vulnerable to an RTT relay attack : RTT chal- 
lenges may be relayed to possibly unsuspecting parties, who generate responses 
which are then relayed back to the challenger. We explore this threat and mech- 
anisms to address it, and propose additional (orthogonal) enhancements to the 
Pinkas-Sander protocol. 

This paper is organized as follows. §2 presents the RTT relay attack. §3 dis- 
cusses background context and assumptions, including a reference version of the 
basic RTT-based login protocol. §4 presents a new variation, with enhancements 
aimed towards usability, security against online dictionary attacks, and param- 
eter flexibility. §5 discusses standard techniques to augment general RTT-based 
login protocols to prevent, detect or deter attacks including the relay attack. 
§6 provides background and a summary of related work. §7 contains concluding 
remarks. 

2 RTT Relay Attack 

A relay attack (see §6) may be carried out on online protocols involving an RTT 
by relaying the RTT challenge to an auxiliary location or “workforce” which 
generates responses, which are relayed back to the challenger. The original RTT 
target thus escapes computing RTT responses. 

One attack variant might proceed as follows (see Fig. 1). Assume there are 
two web sites 1 . The first, say ebay.com, is assumed to be the target of regular 
online dictionary attacks, and consequently requires correct responses to RTT 
challenges before allowing access. The second, say CNN.com, is a popular high 
volume web site, which for our purposes is assumed to be vulnerable to compro- 
mise. The attack begins with an adversary hacking into the CNN.com site and 
installing attack software. 

1 The authors have no affiliation with ebay.com or CNN.com, and no reason to believe 
either site is insecure. These sites are used as examples simply due to their popularity. 






Addressing Online Dictionary Attacks 



41 



Upon a user initiated HTTP connection to CNN.com, the attack software 
receives the request and initiates a fraudulent login attempt to ebay.com. The 
attack software, presented with an RTT challenge from ebay.com, redirects it to 
the CNN.com user connection, instructing that user to answer the RTT to get 
access to CNN.com. (Many users will follow such instructions: most users are 
non-technical, unsuspecting, and do as requested.) The CNN.com user responds 
to the RTT challenge. The attack software relays the response to ebay.com, 
completing the response to the challenge to the fraudulent login attempt. In 
conjunction with replying to eBay’s RTT challenge, after a sufficient number 
of passwords guesses (e.g. dictionary attack), an eBay account password can be 
cracked. The procedure is repeated on other accounts, and the attack program 
summarizes the online dictionary attack results for the adversary. 

The attack is easy to perform if the adversary can control any high volume 
web site - e.g. a popular legitimate site the attacker compromises (as above), 
or an owned malicious site to which traffic has been drawn, e.g. by illegally 
hosting popular copyrighted content, a fraudulent lottery, or free software. A 
related attack involves attack software which relays RTTs to groups of human 
workers (“sweatshops”), exploiting an inexpensive labor pool willingly acting 
as a mercenary RTT-answering workforce. An unconfirmed real-world variant 
reported [21] to involve an “adult web site” requiring users to solve RTTs before 
being served the content; presumably those running the site relayed the answers 
to gain access to legitimate sites which posed the original RTT in the hope of 
preventing automated attacks. Our discussion of mechanisms to counteract such 
threats continues in §5. 

3 Background, Constraints, Assumptions, and Objectives 

For reference, Fig. 2 provides a simplified description of the original RTT-based 
login protocol (for full details, see [20]). The system parameter p is a probability 
which determines the fraction of time that an RTT is asked, in the case that 
an invalid userid-password pair is entered. In the case of a successful login, the 
protocol stores a cookie on the machine from which the login occurred; the cookie 
contains the userid (plus optionally an expiration date), and is constructed in 
such a way (e.g. using standard techniques involving symmetric-key encryption 
or a MAC) that the server can verify its authenticity. 

For context, we next state a few assumptions and observations relevant to 
both the original and new protocols. We begin with a basic constraint. 
Constraint 1: Account Lock-out Not Tolerable. We are interested in protocols 
for systems where locking-out of user accounts after some number of failed lo- 
gin attempts is not a viable option. (Otherwise, online login attacks are easily 
addressed - see §1.) 

Trust Model Assumptions: Trusted Host and Ephemeral Memory. We assume 
that client computers, and any resident software at the time of use, are trusted 
(e.g. no keyboard sniffers or malicious software run on the machine). This is 
standard for (one-factor) password-based authentication protocols - otherwise, 
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1 fix a value for system parameter p, 0 < p < 1 (e.g. p = 0.10) 

2 user enters userid/password 

3 if (user PC has cookie) then server retrieves it 

4 if (entered userid/password pair correct) then 

5 if (cookie present & validates & unexpired & matches userid) then 

6 login passes 

7 else % i.e. cookie failure 

8 ask an RTT; login passes if answer correct (otherwise fails) 

9 endif 

10 else % i.e. incorrect userid/password pair 

11 set AskAnRTT to TRUE with prob. p (otherwise FALSE) f 

12 if (AskAnRTT) then 

13 ask an RTT; wait for answer; then say login fails 

14 else 

15 immediately say login fails 

16 endif 

17 endif 

| This setting is a deterministic function of the userid/password pair [20] 
Fig. 2. Original RTT-based Login Protocol (simplified description) 



the password is trivially available to an attacker. For similar reasons, we assume 
client software leaves no residual data on user machines after a login protocol 
ends (e.g. memory is cleared as each user logs out). In practice it is difficult to 
guarantee these assumptions are met (e.g. for borrowed machines in an Internet 
cafe); but without them, the security of almost all password protocols seems 
questionable. 

Observation 1: Limited Persistence by Legitimate Users. A typical legitimate 
user will give up after some maximum (e.g. C = 10) of failed logins over a fixed 
time period, after which many will check with a system administrator, colleague 
or other source for help, or simply stop trying to log in. Large numbers of suc- 
cessive failed logins, if by a legitimate user, may signal a forgotten password or 
a system availability issue (here login failures are likely not formally recorded by 
the system); or may occur due to an attacker, as either a side effect of attempting 
to crack passwords, or intentionally for denial-of-service in systems susceptible 
to such tactics. 

Observation 2: Users Will Seek Convenience. If a login protocol is necessary to 
access an online service, and users can find a similar alternate service with a 
more convenient login (though possibly less secure) , then many users will switch 
to the alternate service. User choices are rarely driven by security; usability is 
usually a far greater factor, and poor usability typically leads to loss of business. 

These observations lead us to our usability goal; we state it informally. 

Usability Goal - Minimal Inconvenience to Users. Relative to standard userid- 
password schemes, we wish to minimize additional inconvenience experienced by 



a user. 
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As usual, the usability goal must be met in a tradeoff with security, and 
we have a two-part security goal. One part is protecting specific accounts (e.g. 
certain users may be more concerned about, or require more, protection; or a 
service provider may worry more about specific accounts - say those with high 
sales ratings, or high account values). The second is protecting all accounts 
in aggregate (e.g. a web service provider might not want any user accounts 
misapropriatecl to host stolen software; a content service provider might want to 
protect access to content available to authorized subscribers). 

Security Goal - Control Access to both Specific Accounts and Non-specific Ac- 
counts. Constrain information the adversary learns from trial password guesses 
before being “stopped” by an RTT challenge in the context of fully-automated 
attacks directed towards a specific account (single-account attack) and towards 
any account (multi-account attack). 

In practice, for authentication schemes based on user-selected passwords, pre- 
vention of unauthorized access cannot be 100% guaranteed for a specific account 
or all accounts in aggregate, due to the non-zero probability of correctly guess- 
ing a password, and the ubiquity of poor passwords. Nonetheless, the quality of 
a login protocol may be analyzed independent of particular password choices, 
and this is what we pursue. For a given password, we are interested in how 
effectively a given protocol allowing online interaction prevents extraction of 
password-related information. As little information as possible should be leaked. 

Requiring mandatory human participation increases the level of sophistica- 
tion and resources for an attack. If RTTs are effective and RTT relay attacks 
are countered (e.g. by means such as embedded warnings - see §5.1), then con- 
straining information leaked before being “stopped” by an RTT challenge is an 
important security characteristic of a password-based login protocol. 

4 History-Based Login Protocol with RTT’s 

Here we modify the original protocol, intending to both improve the user ex- 
perience and increase security, e.g. to increase the percentage of time that an 
adversary is challenged with an RTT, without further inconveniencing legitimate 
users 2 . The modifications do not themselves prevent RTT relay attacks (§2), but 
are complementary to those in §5 that do, and can thus be combined. We also 
provide analysis of the new protocol. 

4.1 New Protocol 

We assume familiarity with the original protocol (§3). The new protocol is given 
in Fig. 3. Line changes from the original protocol (Fig. 2) are: lines 7. 1-7.6 
replace 8; and 11.1 replaces 12. The new protocol with failed-login thresholds 
(6i = 0, 62 = 00) behaves the same as the original protocol. 

2 One might try to improve usability by allowing a small number of trial passwords 
per userid without triggering an RTT. While this reduces security only minorly for a 
single-account attack (see §4.2), the problem is greater with multi-account attacks. 
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1 fix values for 0 < q < 1 (e.g. q = 0.05 or 0.10) and integers 61,62 > 0 

2 user enters userid/password 

3 if (user PC has cookie) then server retrieves it 

4 if (entered userid/password pair correct) then 

5 if (cookie present & validates & unexpired & matches userid) then 

6 login passes 

7 else % i.e. cookie failure 

7.1 set AskAnRTT to TRUE if account is in owner mode (otherwise FALSE) 

7.2 if (AskAnRTT) OR (FailedLogins [userid] > 61 ) then 

7.3 ask an RTT; login passes if answer correct (otherwise fails) 

7.4 else 

7.5 login passes 

7.6 endif 

9 endif 

10 else % i.e. incorrect userid/password pair 

11 set AskAnRTT to TRUE with prob. q (otherwise FALSE) j 
11.1 if (AskAnRTT) OR (FailedLogins [userid] > 62 ) then 

13 ask an RTT; wait for answer; then say login fails 

14 else 

15 immediately say login fails 

16 endif 

17 endif 

| This setting is a deterministic function of the userid/password pair [20] 

Fig. 3. New Protocol (History-based Login Protocol with RTT’s). FailedLo- 
gins[userid] is set to the userid’s number of failed logins in a recent period T, and 
updated (not shown). See §4.1 re: handling cookies and definition of owner mode 



We next discuss some differences between the new and original protocols, 
including: cookie-handling (related to owner and non-owner mode) - cookies are 
now stored only on trustworthy machines; per-user tracking of failed logins; and 
setting failed- login thresholds. The idea of dynamically changing failed-login 
thresholds has been previously mentioned [20, §4. 4-4. 6]; we detail a concrete 
proposal and comparison. 

Handling cookies. The original protocol stores a cookie on any device after suc- 
cessful authentication; the new protocol does not. Optional user input controls 
cookie storage similar to web servers using a login page checkbox asking if users 
want to “remember passwords”, e.g. “Is this a trustworthy device you use regu- 
larly? YES/NO”. This part of the page appears if no cookie is received by the 
server. Upon a YES response, a cookie is pushed to the user device only after 
the user successfully authenticates (requiring a successful RTT response, if chal- 
lenged). This cookie approach reduces exposure to cookie theft vs. the original 
protocol, with negligible usability downside because the question appears on the 
same screen as the login prompt (default answer NO). 

The original protocol requires that cookies be tracked by the server and 
expire after a limit of failed login attempts with the particular cookie [20, §4.5]. 
We follow a similar approach. Each time a login fails (e.g. lines 7.3, 13, and 15), 




Addressing Online Dictionary Attacks 



45 



we increment the failed login count associated with the cookie if a valid cookie 
was received. If the cookie exceeds a failed login threshold, we invalidate it. Line 
5 includes a check that the cookie hasn’t been invalidated. The cookie failure 
threshold is the number of failed logins allowed before a cookie is invalidated. 
We recommend setting this to the minimum of b\ and 62. 

Definition of owner, non-owner. A user is more likely to login from “non-owned” 
devices when traveling (e.g. borrowing an Internet access device in a library, 
guest office, conference room, or Internet cafe). Also, a user submitting a login 
request which does not include a cookie is likely to be using a non-owned device. 
As a consequence of how cookies are handled, we can assume (with small error) 
that a user is on a non-owned device if their most recent successful login does not 
include a cookie. We initially define a user account to be in “owner” mode, and 
expect an account to be in owner mode most of the time if most of the time they 
use their regular device (e.g. one of the devices they own). An account transitions 
to “ non-owner ” mode when a login is successfully authenticated without the 
server receiving a valid cookie (Fig. 3, line 7.5), and returns to owner mode 
after a specified time-out period W (e.g. 24 hours) or a successful login with 
a cookie present. The timeout period is restarted, and the account remains in 
non-owner mode, if there is another cookieless successful login. The time-out 
period reduces the number of accounts in non-owner mode, which lowers the 
security risk; accounts in non-owner mode are more susceptible to multi-account 
dictionary attacks (see §4.2). 

Tracking failed logins. We define FailedLogins [userid] to be the number of failed 
login attempts for a specific userid within a recent period T (e.g. 30 days). Here 
failed login attempts includes: non-responses to RTT challenges, incorrect re- 
sponses, failed userid-password pairs, and outstanding authentication attempts 
(e.g. the adversary may simultaneously issue multiple login attempts; one strat- 
egy might be to issue a very large number, and respond to only a subset of 
resulting RTT challenges, perhaps being able to exploit some “weak sub-class” 
of RTTs for which computer-generated responses are feasible). 

Setting the failed-login thresholds (hounds h\ , 62/. Low values for 61, £>2 maximize 
security at the expense of usability (e.g. for users who frequently enter incorrect 
passwords). A reasonable bound may be 61,62 < 10 (perhaps larger for large 
T). In the simplest case the protocol bounds 61 , 6 2 are fixed system variables; 
in a more elaborate design, they (and q) are dynamic and/or set on a per-user 
basis (varying for a particular userid, based on a history or profile and possibly 
subject to system wide constraints e.g. maximum bound on 62). For example, 
certain users who regularly enter a password incorrectly might be given a higher 
failed-login threshold (to increase usability) compared to users who almost al- 
ways enter correct passwords. If it is expected or known from a historical profile 
that a user will log in L times over a period T, and that say 5% of legitimate 
login attempts fail, then 62 might be set somewhat larger than (0.05) * L (e.g. 
T = 30 days, L = 100, 62 = 5). Over time, per-user rates of legitimate failed lo- 
gins (e.g. mistyped or forgotten/mixed up passwords, perhaps more frequent on 
unfamiliar machines) can be used to establish reasonable thresholds. To simplify 
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presentation, updating of per-user table entries FailedLogins [userid] in Fig. 3 is 
not shown. Note that while per-user values require server-side storage when these 
values cannot be user-stored via cookies, a small amount of per-user server-side 
storage is already required in both the original and new protocol to ameliorate 
cookie theft (see above). (Optionally, setting the RTT challenge probability q 
on a per-user basis also allows flexibility for tuning usability and security on a 
per-account basis.) 

4.2 Comparitive Analysis Security and Usability 

For a comparitive analysis of the new protocol with the original protocol, we first 
focus on the analysis for a single account, with respect to security and usability. 
We generally follow the assumptions from the original protocol [20], including 
that passwords are from a fixed set (dictionary) of cardinality N, and that for 
analysis purposes they are equally probable. The probabilities p and q are as 
defined in the protocols. 

Discussion of Security (Single- Account Attacks). To aid our single-ac- 
count security analysis, we use the following questions (and assume for now no 
cookie theft, i.e. an attacker knows a userid but has no corresponding cookie). 
For a single user account, for the original and new protocols, what is the ... 
Ql: expected number of passwords eliminatable from the space, answering no 
RTT’s? Q2: expected number of RTT’s an attacker must answer to correctly 
guess a password? Q3: probability of a confirmed correct password guess for 
attacker willing to answer c RTT’s? 

The answers summarized in Table 1 are based on the best attack strategies 
known to us 3 . For Q2 and Q3, perhaps surprisingly, this involves an attacker 
simply answering the first c RTT’s sent 4 . Since better attack strategies may 
exist, e.g. our answers to Q3 should be interpreted as lower bounds, albeit under 
conditions favorable to the attacker: we assume that failed login counts are 0 at 
the start of an attack. 

Some observations follow. Rows Ql and Q2 indicate that the number of 
passwords that an attacker is able to eliminate “for free” (without any RTT’s) is 
substantially greater in the original protocol 5 . A second observation favoring the 
new protocol is evident from rows Q3b and Q3c: the probability of a successful 
attacker guess in the new protocol (on the order of 1 /N) is generally significantly 
smaller than in the original (on the order of 1/pN), except that when 62 is 
relatively large the new protocol’s behaviour effectively becomes that of the 
original, with probability c/qN matching the table entry c/pN for the Original 
Protocol; when 62 is small, 62 + c is less than c/q, so the probability in the new 
protocol is better, i.e. less than the original. 

3 Currently, we make a simplifying assumption: an account is in one of the two modes. 

4 Additional details on attack strategies and Table 1 will be provided in the full paper. 

5 For the new protocol, these figures are per time period T. However for a sophis- 
ticated multi-period attack, the new protocol remains better (fewer passwords are 
eliminatable), assuming p = q, unless at least A/62 time periods are used (e.g. about 
1600 years for T = 1 month, N = 100 000 and 62 =5). 
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Table 1. Tabular data for comparitive analysis (single-account attack), q is used for p 
in the new protocol to emphasize possible use of different values (p = q is also possible). 



Question 


Original Protocol 


New Protocol 






j Account Mode j 


Owner 


Non-owner 


Q1 


(1 -P)N 


zi = (1 - < 7)62 


Z 2 =max(bi, (1 — 9 ) 62 ) 


Q2 


-oPN 


£(JV-*i)«JV/2 


*(JV-* 2 ) 


Q3a (c = 0) 


0 


0 


bi/N 


Q3b (c = 1) 


1/pN 


(1-(1 -q) b2+1 )/qN 


(61 + 1 )/N 


Q3c (c > 2 ) 


c/pN 


min(f ,& 2 +c)/N ( 


(61 + c)/N 



(Upper bound 



Table 2. Fraction of the time a legitimate user must answer an RTT (1.0 = 100%). 
As in Table 1, q is used in place of p in the new protocol. 

(After the failed login bound is crossed in the new protocol, in several cases - e.g. on 
incorrect passwords, and correct passwords without valid cookies - RTT’s occur more 
frequently (i.e. 100% of the time after the bound is crossed within period T). However 
for accounts in owner mode we expect a large number of users select a “Remember 
password” option (standard in many applications) which stores passwords locally on 
their regular machines. No failed passwords are expected from such users; but note 
their failed login thresholds may still be crossed due to attacker activities. 





Original Protocol 


New Protocol 






| Account Mode | 


Owner 


Non-owner 


Incorrect password 


P 


it 


it 


Correct password - valid cookie 


0 


0 


0 


Correct password - no valid cookie 


1.0 


1.0 


Of 



Note: for both c = 1 and c > 2, the table gives a probability (i.e. an expec- 
tation over a large number of runs). The new protocol has a guaranteed upper 
bound on the probability: (62 + c)/N . 

According to row Q3a, for an attacker unwilling to answer any RTTs, the 
security is the same in both protocols except we relax security (i.e. to b\/N) 
for some small number of accounts in non-owner mode to improve usability (see 
usability improvement in Table 2, bottom row). 

A security analysis for multi-account attacks (wherein an attacker’s goal is 
to break into any one of many accounts, not necessarily a specific account) and 
parallel login attacks (wherein an attacker may try to simultaneously login to 
one userid a large number of times on different servers) is left for the full version 
of this paper. 

Discussion of Usability. For comparing usability between the original and 
the new protocols, Table 2 notes the proportion of time a legitimate user is 
queried with an RTT on entering a correct or incorrect password, with and 
without a valid cookie. A case of particular focus for the new protocol is the 
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legitimate “travelling user”, who generally operates with an account in non- 
owner mode and without a valid cookie. The new protocol is significantly more 
user-friendly to such users. We also believe that such users are typically more 
likely to enter incorrect passwords (see discussion in caption of Table 2), and 
therefore increasing usability in this case is significant as one would expect that 
“incorrect password” cases occur far less often in owner mode. 

Also related to usability - the value of the parameter q may be reduced in 
the new protocol without loss of security, due to the use of the failed login bound 
&2 and depending on its value relative to q (see Table 1). This further increases 
usability in the incorrect password case, independent of the discussion in the 
paragraph above. 

Discussion of Cookie Theft. The above analysis assumes that no cookie theft 
occurrs; here we make a few observations in the case cookie it does. 

1. New Protocol. If a cookie is stolen, then within the cookie’s validity period, 
under the recommended cookie failure threshold, the attacker gets min(&i, 62) 
password guesses on the userid. The attack we consider is one where the 
attacker quits all guesses that return an RTT, and having a good cookie, 
hopes to reach line 6 with a lucky guess 6 . 

2. Original Protocol. Similarly, the attacker gets free guesses up to the cookie 
failure threshold. A correct password guess on any of these trials allows a 
successful login without having to answer an RTT. 

Comments, (a) It is less likely that a cookie is stolen under the new protocol, since 
they reside in fewer places - e.g. cookies of the original protocol would show up in 
airport Internet rooms, (b) A combined cookie and non-cookie attack against a 
single account is less likely to be successful in the new protocol, primarily because 
the attacker can reduce the password space to a p - fraction in the original protocol 
even before using the stolen cookie (see related discussion on questions Q1 and 
Q2). 

5 Additional Techniques Augmenting 
RTT-Based Authentication 

Here we propose a number of techniques to augment the original protocol (Fig. 2), 
without changing its basic functionality. This includes addressing RTT relay at- 
tacks (§2). These techniques are intended primarily to improve security, and are 
independent of (orthogonal to) the changes proposed in §4. We present them 
briefly without additional analysis. 

5.1 RTT with Embedded Warning 

Here we propose a simple method to prevent RTT relay attacks. A drawback 
of the proposal is that it requires some thought on behalf of users (which is, in 



This attack may take place in conjunction with one that reduces the password space 
without answering an RTT, or one where the adversary answers c RTTs. 
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some cases, unfortunately unrealistic). However, we believe the general idea may 
be adapted to significant advantage. 

The general idea is to rely upon self-awareness of legitimate users to pre- 
vent unwitting participation in an RTT relay attack. One approach is to make 
RTT challenges user-directed by incorporating a user’s specific userid within the 
RTT itself. Preferably, removing this information is of comparable difficulty as 
answering the RTT itself. 

For example, as part of answering a text RTT, a portion of the text is a 
userid field ' , which the user is warned to compare to their own userid, thereby 
confirming that the RTT is targeted specifically at them (within the embedded 
warning the user is instructed to not answer the RTT if the match fails). As 
an additional optional feature, the RTT might also contain an embedded short 
“help URL” , for a site giving further instructions on the use of this type of RTT. 

This idea is analogous to the now generally accepted, and recommended, 
practice in authentication protocols of putting party identifiers within the pro- 
tected (i.e. signed or MAC’d) region of protocol messages. It is also analogous 
to the typical automated check, when using secure browser cookies, that cookies 
match a particular userid or IP address; and to the matching userid check in the 
original protocol (line 5, Fig. 2). 

5.2 Notification Regarding Failed Logins 

Here we propose a simple method to detect automated dictionary attacks and 
trigger counter-active measures 8 . Once a small threshold (e.g. 3-10) login failures 
occurs for any single account, an automated, out-of-band communication (e.g. 
email) is sent to an address-on-record of the associated legitimate user. If the 
failed logins resulted from the user’s own actions, the user will be aware of the 
failures and can safely ignore the message; otherwise, it signals malicious activity, 
and may lead the user to take such actions as to request 9 changes to server-side 
user-specific login protocol parameters (see §4), or to change their own password 
to a more secure password using the normal change password method. 

As an alternative, albeit less desirable 10 , after some larger number of failed 
logins (e.g. 25), the system might automatically reset the user’s password to a 
computer-generated secure password emailed to the user. This would prevent a 
user’s typically weak self-chosen password from being cracked through standard 
dictionary attacks. (Depending on the security policy in use, the user might be 
allowed to change the password back to a weak one if they wish, but at this 
point they may also be motivated to follow recommended password rules.) 

7 A variant instead includes the name of the site being visited, with similar explana- 
tion. (An anonymous referee suggested this.) The choice between web site name and 
userid could be made dynamically, e.g. selecting the shorter of the two. 

8 This expands on administrators manually sending out-of-band messages [20, §4.4]. 

9 For example, through an authenticated channel such as an email to an un-advertised 
pre-arranged address, or a hidden URL provided in the email alert to the user. 

10 This may raise customary issues related to system-generated passwords and system- 
initiated password changes. If used, this alternative must be crafted so as not to 
generate additional customer service calls, which are not tolerated within our scope. 
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This proposal is less effective against multi-target attacks, and slow-channel 
dictionary attacks wherein an automated program tries passwords on a certain 
account after there is likely to have already been a successful login attempt 
(e.g. waiting for a random but minimal delay, such as one-day intervals). In 
some systems, an attacker can confirm if a user has logged in recently (e.g. an 
eBay user), and mount only a limited number of trial password guesses some 
fixed period after each such successful login. This proposal may nonetheless be 
helpful, and other parameters may limit the success of slow-channel attacks. A 
small amount of per-user server-side state is needed, but the original protocol has 
a similar requirement to address cookie-theft [20, §4.5]. A remaining drawback 
of this proposal is degraded usability (additional user attention is required). 

5.3 Consuming Client Resources 

Using Zero-Footprint Software Downloads 

We propose that login protocol variants (e.g. see §4) be augmented by known 
techniques requiring that clients solve “puzzles” consuming client resources, and 
return answers prior to the server verifying a login. This follows research lines 
to combat junk mail (e.g. [8,1]) and denial-of-service attacks [15]. Another aug- 
menting technology is to harden passwords with auxilliary protocols that can 
interact directly with the server [11]. 

Since functionality for performing client puzzles is not resident in standard 
client software (e.g. browsers), this proposal requires allowing Java applets, 
Javascript, or other zero- footprint downloads. We no longer agree with dismissing 
special client-side software outright (cf. [20]); rather, we see opportunity for ad- 
vantageous use. Though perhaps worrisome, most users and organizations now 
operate under the assumption that Java, and certainly Javascript, are turned 
on 11 . Nonetheless, since popular web services should work for 100% of potential 
users, to accommodate those who cannot use zero-footprint software, RTT-based 
login protocols can be designed as follows. Client puzzles (or the like) are sent 
to users. For those unable to answer the puzzles for any reason (in some case the 
server may learn this a priori), the protocol branches to a path replacing the 
puzzle by an (extra) RTT. This RTT will be less convenient to the user (requir- 
ing user attention, vs. machine resources), but we expect this to be a relatively 
small percentage of users, and therefore viable. 

6 Background and Related Work 

The RTT relay attack of §2 is related to general classes of middle-person at- 
tacks and interleaving attacks involving an active attacker inserting itself be- 
tween legitimate parties in a communications protocol, and/or using information 
from one instance of a protocol to attack a simultaneous instance. Such attacks 

11 These are in fact the settings that result from the Internet Explorer default 
(“medium” security), and which we expect remain unchanged by most users. 
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are well-known in cryptographic protocols and have a long history ([6,7]; [18, 
pp. 530-531]). 

For example, challenge-response protocols have long been used to identify 
military aircraft in identify- friend- or- foe (IFF) systems. IFF challenges from en- 
emy challengers have reportedly been forwarded in real-time to the enemy’s own 
planes, eliciting correct responses which were then successfully used as responses 
to the enemy’s original challenges [2, pp. 19-20]. Note that responses in such sys- 
tems are typically automatic; the protocols do not involve entity authentication 
of the querying party. 

Related to this is the well-known grandmaster postal-chess attack: an am- 
ateur simultaneously plays two grandmasters by post, playing white pieces in 
one game and black in the other, using the moves of his opponents against each 
other, resulting in an overall outcome better than the two losses he would have 
achieved on his own. 

The term strong authentication protocols is often used for protocols designed 
to preclude attacks which first obtain appropriate data related to one or more 
protocol runs, and then proceed to crack passwords offline (i.e. without further 
interaction). This line of research began with the early work of Gong and co- 
authors [17,12,13]; Bellovin and Merritt’s EKE protocol [3] then inspired a 
number of others (e.g. Jablon’s SPEKE [14]; Wu’s SRP [23]; see also [16]). 

Offline exhaustive password-guessing attacks typically proceed by trying po- 
tential passwords in order of (perceived) decreasing likelihood. The most prob- 
able passwords are often in conventional dictionaries, or modified dictionaries 
specially tailored to this task. Offline attacks are thus often called dictionary 
attacks , although dictionaries are also used in online attacks (if account lock-out 
and time-delays are not used; see §2). 

Use of system-generated passwords can provide higher security (by better 
password choices), but suffers severe usability issues. Pass phrases have also been 
proposed (e.g. see [27, 26]). Other approaches include system administrators run- 
ning password-crack tools on their own systems ( re-active password checking); 
enforcement of simple password rules or policies at the time of new password 
selection; and at such time, checking for its presence in large customized dictio- 
naries built for this purpose ( pro-active password checking, e.g. see Yan [25] for 
a recent summary) . 



7 Concluding Remarks 

We expect that a large number of lruman-in-the-loop and mandatory human 
participation schemes, unrelated to the RTT-based login protocol discussed here, 
are also subject to the RTT relay attack of §2. 

A major feature of our new protocol (§4) is the additional flexibility and 
configurability, including failed login thresholds and potentially lower RTT chal- 
lenge probabilities (e.g. for suitable b 2 lowering q does not decrease security). 
This allows the protocol to be tailored to match particular environments, classes 
of users, and applications; while determining the optimal parameters for spe- 
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cific user profiles appears non-trivial, we expect further analytical study will be 
fruitful. Another new aspect is storing cookies only on trustworthy machines. As 
mentioned earlier, the new protocol can be parameterized to give the original 
protocol as a special case. While the configurability does complicate protocol 
implementation somewhat, we note that a number of the parameters which are 
optionally dynamic can be managed by automated tools; thus the additional 
human administrative costs are relatively minor. For example, an automated 
tool can keep a running ratio of successful logins to failed logins for the entire 
system, and alter system wide (or account-specific) parameter q, or system- 
wide (or account-specific) failed login thresholds b\ and 62 , based on this ratio. 
A significant improvement of our protocol over prior work concerns protecting 
against relay attacks by forcing an RTT challenge on all login attempts after 
the number of failed logins reaches a threshold. Previous work enabled a signifi- 
cant fraction of the password space to be eliminated with an automated attack. 
Per-user failed-login counts (as used in Fig. 3) also provide protection against 
sweatshop attacks and RTT relay attacks, especially such attacks targeting a 
particular account. Note that embedding warnings within RTTs (§5.1) does not 
by itself protect against sweatshop attacks. 

For practical protection in Internet-scale live systems, we recommend com- 
bining techniques from §5 with those of §4. We see a large number of ways to 
expand on the ideas of §4. In particular, we encourage others to explore the 
use of dynamic parameters (ideally managed by automated tools), and other 
ways to gain advantage by treating users logging in from non-owned devices 
(e.g. traveling users) different from those continually using their regular login 
machines. 
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Abstract. We introduce an authentication framework called Query-Directed 
Passwords (QDP) that incorporates the convenience of authentication by long- 
term knowledge questions and offers stronger security than front traditional 
types of personal questions. Security is strengthened for this scheme by impos- 
ing several restrictions on the questions and answers, and specifying how QDP 
is implemented in conjunction with other factors. Four QDP implementations 
are examined for call center applications. We examine the security and conven- 
ience of one of these implementations in detail. This implementation involves 
client-end storage of questions in a computer file or a wallet card, and follows a 
basic challenge-response authentication protocol. 



1 Introduction 

“Good morning, Alice, and thank you for phoning ABC Finnacial. For 
customer verification purposes, please tell me your: social security num- 
ber, mother's maiden name, date of birth, name of first pet, ...” 

The amount of information in the request above may be exaggerated, but the scenario 
is not. We experience similar customer verification procedures at the beginning of 
many call center sessions, especially those dealing with health insurance and personal 
finances. Yet, the practice of using personal data for authentication is troubling. Is 
knowledge of Alice’s date of birth a good piece of information to use for security? If 
so, should Alice schedule her birthday party far away from the true birth date so that 
no one can learn this “secret” information? And should Alice give her social security 
number to any call center agent who asks? Not only may she have privacy concerns 
with this, but if social security number is used for verification to many call centers, 
isn’t this like re-using a password for different hosts, which we are advised not to do? 

It is clear why a password is not ideal for call center customer verification: the cus- 
tomer cannot remember yet another password. However, are personal knowledge 
questions good substitutes? Let’s compare the two. A password is a secret shared by a 
user and an authenticating host. In contrast, personal knowledge like your social secu- 
rity number and date of birth is not a shared secret and can be learned by an attacker 
through some amount of investigative effort. A password can be changed if compro- 
mised. However, you can’t change your mother’s maiden name. With passwords, we 
are instructed to use different ones for different hosts to eliminate cross-attacks. How- 
ever, there are only a few examples of personal knowledge that are traditionally used 
for authentication so the need to reuse them rises with each new host to which we 
register. Worse yet, because these personal-knowledge questions are known for par- 
ticular hosts (e.g., host X always uses mother’s maiden name), these become standing 
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targets for an attacker to learn this information about customers. To avoid standing 
target questions, some verification procedures require the user to create questions of 
their own (e.g., “What is my first pet’s name?”). However, there is a danger here that 
users may choose questions poorly. Choosing a poor question is similar to choosing a 
weak password that can be guessed or found by dictionary search. For these and other 
reasons, authentication by these personal-knowledge types of questions is not cur- 
rently a good substitute for passwords. So, why is it still widely used? It is because 
memorized passwords are forgotten [1-4] and personal knowledge is not. 

There are alternatives to knowledge-based authentication by password or personal 
knowledge [5]. Tokens, such as smart cards can store or create strong passwords 
without the need for memorization. However, for customer applications, there is a 
significant expenditure to provide tokens and readers to all customers. Biometrics 
suffers the same cost drawback to provide scanners (readers) to customers, and also 
has reliability and logistic drawbacks (e.g., if a fingerprint is compromised, how do 
you change it? [6, 7]). 

Because of deficiencies with these alternatives, we reexamine knowledge-based 
authenticators in this paper, and attempt to obtain a better balance of convenience and 
security for the call center customer application. If this better balance can be obtained, 
there are advantages to this type of authenticator. Like the biometric, users always 
have their personal knowledge. Unlike tokens and biometrics, a user doesn’t need 
special readers for personal knowledge because computer keyboards and telephone 
keypads are the input device, and these are ubiquitous. And because no extra equip- 
ment is needed, personal knowledge authentication is inexpensive. 

Because our application is call center authentication, where customers often need 
to authenticate infrequently and where ease-of-use is important, our work focuses not 
on memorized passwords but on responses to questions based on long-term knowl- 
edge. Although we have just criticized the traditional use of this type of authentica- 
tion, our goal is to retain its inherent convenience and to improve upon its weak secu- 
rity. One way we attempt to attain a balance of convenience and security is by using 
not the traditional questions but a larger base of questions whose answers reside in a 
user’s pennastore memory [8]. Permastore describes a category of long-term memory 
that is persistent over a very long period of time up to a lifetime. This includes com- 
mon personal facts like birth date, but there are other, perhaps trivial facts, like the 
color of car in which you learned to drive and your food preference as a child. In 
addition to the choice of questions, we strengthen security by creating a more rigorous 
framework for their use. 

Attempts to make personal knowledge authentication stronger are not unique. Elli- 
son et al. [9] propose a method, called personal entropy, to encrypt secrets or pass- 
words via the answers to several questions. They base this upon Shamir’s secret- 
sharing scheme [10], also called a (t.n )-threshold scheme, where a secret is distributed 
into n shares of which at least t of these is needed to reconstruct the secret. The n 
shares are encrypted and decrypted using hashed functions of the personal-knowledge 
questions and answers. The emphasis in this work is to offer the user fault tolerance 
by allowing her to forget the answers to some small number of questions, but still 
achieve successful authentication. 

Frykholm and Juels [11] offer an approach, called error-tolerant password recov- 
ery (ETPAR), with the similar goal of deriving a strong password from a sequence of 
answers to personal-knowledge questions. One portion of the method is similar to the 
personal entropy method, distributing the answers to questions in a vector that is used 
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for encryption and decryption. However the ETPAR method achieves fault tolerance 
not by secret sharing but by using error-correcting codes in a scheme called fuzzy 
commitment [12]. The emphasis in this work is offering cryptographically strong 
security to defend against the computationally unbounded attacker. They describe an 
experiment on 9 users over a one-week period for their system-authored questions 
with open answers. 

Our approach is similar to these previous works in at least two respects. We also 
use personal-knowledge questions and can achieve fault tolerance with multiple ques- 
tions. However, there are also differences in our emphasis and approach. The previous 
papers emphasize the cryptographic underpinnings of the approaches, whereas our 
paper deals with details closer to the human end. One example of this is design and 
types of questions. Our approach deals only with system-guided questions and an- 
swers. Another difference is in the use of the approach. Whereas the previous papers 
presented schemes for password storage and recovery, our paper applies query- 
directed authentication to customer call center verification. 

In Section 2, we introduce our method, called Query-Directed Passwords (QDP). 
We describe specifications for questions and answers that underlie this approach. In 
Section 3, we describe the call center application, beginning with requirements and 
then offering four implementations with different security and convenience tradeoffs. 
Security comparisons are made between implementations and we investigate one 
implementation, involving client-end storage of questions, in more detail. Conclu- 
sions and future work are discussed in Section 4. 




Fig. 1. Hierarchy of human authentication, showing query-directed passwords under the cate- 
gory of knowledge-based, pull-type authentication. 



2 Query-Directed Passwords (QDP) 

2.1 Background 

User authentication can be divided into three categories (Fig. 1): knowledge-based 
(which includes passwords), possession-based (which includes tokens), and ID-based 
(which includes biometrics). In this paper, we further divide the knowledge-based 
category into “push” and “pull” passwords. The distinction is that a push-type pass- 
word must be memorized by the user at registration. A pull-type password is recalled 
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from the user’s memory; since it is already in permastore memory, it does not need to 
be memorized first. All pull-type passwords are hint- or query-directed, however 
within this category we make a distinction between the traditional type and our ap- 
proach. We call the first type traditional pull-type authentication, the stereotypical 
example being mother’s maiden name. We call our approach query-directed pass- 
words, or QDP. The distinction is not in an entirely different approach, but in the fact 
that QDP applies a formalism that constrains the types of questions and the procedure 
by which these questions are used. 

We can describe three types of questions and answers for pull-type authentication. 
Examples are listed for each: 

1. Open question and open answer (user creates the questions), 

• What is the name of my first pet? 

2. Selectable question and open answer (system provides the questions for selection), 

• What is my mother’s maiden name? 

• What was the number of my childhood house? 

3. Selectable question and multiple-choice answer (system provides the questions and 
answers for selection), 

• What color is the first family car I remember in childhood? 

1 ) black, 2) white, 3) gray, 4) blue, 5) green, 6) red. 

• How did I travel to my first paying job as a teen? 

1) drove, 2) driven, 3) public transit, 4) carpool, 5) bike, 6) walk. 

2.2 QDP Approach 

In contrast to the traditional approaches of choosing a very limited number of per- 
sonal questions or enabling the customer to create questions, we create QDP questions 
with strict guidelines. Instead of personal facts, QDP questions involve trivial facts or 
opinions such as, "Where is a wall clock in your house?” and "What type of apple do 
you prefer?” These are unlikely to be on your resume or in official personal records, 
so are more difficult for an attacker to learn. Instead of a few questions, QDP requires 
the user to select a number of questions (e.g., 5 to 15). This larger number of ques- 
tions helps authentication in three ways: 1) different questions can be used for differ- 
ent hosts, 2) different questions can be used for different authentication sessions for 
the same host, and 3) if a question becomes compromised, it can be eliminated with 
still other questions to take its place. Instead of the system assigning questions, some 
that the user might consider to be private, the system offers questions for user selec- 
tion, so that any questions considered private need not be selected. Below, we list 
specifications of QDP answers and questions: 

1. Answers must be consistently and easily recalled by a user over time. 

2. Answers must be discriminating of a user. The answer space must be fairly evenly 
distributed across the population and individual answers must be independent of 
one another. 

3. Answers must not be easily guessed or learned. 

4. Answers must not be considered confidential. 

5. Questions offered for user selection must be fairly large in number, and the ques- 
tion selection must be fairly evenly distributed across the population. 

6. Questions chosen by a user must be dispersed in type or topic. 
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Comparisons between traditional questions and QDP questions are shown in Table 1. 
Table 1 . Comparison between traditional pull-type authentication and QDP. 



Traditional 


QDP 


A few traditional questions, or user-created 


System offers pre-created questions for selec- 
tion 


Personal facts that may be learned by others 


Trivial facts and opinions, difficult to learn 
by others 


Few questions 


Many questions 


Can’t be changed if compromised 


Replace with another question if compro- 
mised 


Mandatory information may be considered 
private 


User selects non-confidential questions 



Of the question and answer types described in Section 2.1, we restrict QDP usage 
to type 3 and a subset of type 2. The type 3, selectable question and multiple-choice 
answer, constitute the majority of a user’s QDP questions. We call these QDP multi- 
ple-choice questions. It is straightforward to perform a security analysis upon this 
type because we know questions and permissible answers beforehand. Ideally, we 
also know population statistics such as frequencies of selected questions and answers 
that will help in security analysis. 

QDP questions can also be a subset of type 2 questions, selectable questions and 
open answers, which involve particular questions with numeric answers. “What was 
the street number of my childhood house?” is an example of this. We call these QDP 
numeric questions, and these are often used where a traditional PIN would be used, 
the advantage of the QDP numeric question being that it is elicited from permastore 
with a query, so it is more easily recalled. In Section 4, we will briefly describe how 
we use information extraction techniques to guide a user toward a permissible ques- 
tion and answer of this type. The numeric restriction facilitates this analysis. 

We do not use type 1 questions, open questions and open answers. This is because 
of the difficulty in automatically analyzing such questions and answers (the question 
would need to be understood by a computer as a precondition to security analysis). 

Use of QDP multiple-choice questions alone does not provide the level of security 
required of most applications. If an authentication system were designed with 4 ques- 
tions of 6 multiple-choice answers each, a brute force attacker would be able to guess 
the answer after 6 4 / 2 = 648 guesses on average. If the attacker has some knowledge 
of the user or some knowledge of the distribution of answers, he could guess even 
more quickly. This is far less secure than for a 4-digit PIN, for which 10 4 / 2 = 5000 is 
the average number of guesses needed. Therefore, the security story does not end with 
the QDP questions and answers. Our own use of QDP involves some other contribu- 
tor to overall system security such as a second factor or a particular protocol to 
strengthen security. This is shown by the description of implementations in Section 3. 

We have performed preliminary user testing of QDP and will report this elsewhere. 
One component of this testing was an experiment on answer recall rate over time. In a 
short-term test done weekly for 30 users from Avaya Labs over a 3-month period and 
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longer term testing done 5-6 months after enrollment, users answered about 95% of 
individual questions correctly. With fault tolerance on the 5 to 8 questions asked per 
session, users successfully authenticated 98.5% of the attempts. This test was not 
meant to simulate a secure authentication application but to test whether users could 
recall answers to QDP-type questions at a high enough rate over time to be effective 
for authentication. We have since begun a pilot for password recovery whose purpose 
is security and whose population size is larger and more varied than for the prelimi- 
nary test. 



3 Call Center Application 

QDP has properties that make it applicable to such tasks as computer password recov- 
ery and use of voiced password in a public area. In this paper, we focus on one appli- 
cation, call center authentication. Customer verification is common for financial- and 
health-related call centers. In this paper, we focus on call centers (implying just tele- 
phone communications) rather than contact centers (phone and Web communica- 
tions). This is because the former presents a more constrained and challenging prob- 
lem. The methods presented here can apply to the superset of contact center 
transactions as well. 

3.1 Specifications 

Security is the main objective in authentication, however an important consideration 
in specifying this application is that the authenticating person is a customer. Unlike 
employees, military personnel, or civil servants, there is little leverage to make cus- 
tomers do anything because they can switch to a competitor if they are dissatisfied. 
Therefore, a well-designed call center will offer both security and customer conven- 
ience. These call center specifications are listed below: 

I. Security-Related Specifications: 

1. It should be difficult for an attacker to authenticate in place of the authorized 
customer. 

2. It should be difficult for potential attackers at the host-side to learn the cus- 
tomer’s authentication information. 

3. Compromise detection and recovery are desirable. 

4. It should be difficult for an attacker to mount a successful denial of service at- 
tack. 

5. Progressively adjustable security strengths should be possible. 

II. Customer-Related Specifications: 

1. It should be convenient with respect to time and memory effort for an author- 
ized customer to authenticate. 

2. The customer’s privacy should be respected. 

3. The customer should be allowed some fault tolerance to get a portion of the au- 
thentication response wrong but still to successfully authenticate. 

4. Verification should be possible via the numeric keypad of a telephone. 

5. Verification should also be possible by speaking into the telephone without 
worry that an eavesdropper can learn the authentication information. 

6. The scheme should be inexpensive on a per customer basis. 
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We describe these specifications below and examine how these are met for particular 
QDP implementations in Section 3.3. 

Security specification 1 is the main purpose here, to safeguard confidential infor- 
mation and to prevent transactions by unauthorized persons. There are two types of 
client-side attackers: strangers and acquaintances. Strangers do not know anything 
about the customer prior to the attack. They can guess answers or first learn about the 
customer via whatever public means are available. Acquaintances (which span the 
range from an office colleague to a spouse) already know some things about the cus- 
tomer. With knowledge of the customer an acquaintance can mount an imposter at- 
tack. 

Security specification 2 refers to host-side or insider attack. For instance, if a call 
center operation allows agents to see customer access PINs, then a dishonest agent 
could steal these for fraudulent use. In the world of computer administration, user 
passwords are usually transformed and stored via a 1-way hash function. In this way, 
even administrators with access to password files cannot easily learn user passwords 
because there is no direct transformation from the hashed value back to the password. 

Security specification 3 states that some means of compromise detection and re- 
covery is desirable. A bankcard, for instance, provides tangible means for detecting 
one form of compromise - when you can’t withdraw money because your card is 
gone, it may have been stolen. Recovery involves canceling the card and obtaining a 
new one. In contrast, personal data are almost in a permanent state of “compromise” 
because many people know your date of birth, etc. Furthermore, compromise recov- 
ery is impossible with data such as date of birth. 

Security specification 4 states that denial of service attacks should be difficult. One 
way to cause the system to deny service to a true customer is for someone to answer 
the questions incorrectly a number of times. Most systems will freeze the account 
after a number of failed attempts to prevent brute force attacks. 

Security specification 5 allows fewer questions to be asked for a low-security ap- 
plication, and more for stronger security. Furthermore, even within a single session, 
the customer can start with a “default” security level, then be required to answer more 
questions if a transaction requiring higher than default level is requested. A single 
password does not meet this specification. 

Customer specification 1 states that authentication should be convenient. Security 
and convenience often present conflicting specifications, so a compromise must be 
chosen. Since authentication includes both enrollment and verification, one can an- 
ticipate another tradeoff between these. For instance, a longer time spent to enroll 
diligently might save time later each time the customer verifies. 

Customer specification 2 regards privacy, what information a person wants to keep 
confidential. But personal privacy concerns are different for different people. The 
system should be able to handle differences in privacy preferences. 

Customer specification 3 sets query-directed authentication apart from passwords 
and other authentication options. If you forget a password, you will not be authenti- 
cated. There is no middle ground. The same is true if you lose a smart card or your 
voice fails to verify. However, if a customer forgets an answer to one or more authen- 
tication questions, we’d like to offer him some leeway to still authenticate. It is 
important to say that strength of security should not suffer here, so if for example a 
customer misses an answer, tolerance is not defined as simply asking more questions 
until he gets one right. The number of correct and incorrect answers must both be 
considered. 
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Customer specification 4 is a practical requirement for the targeted telephone me- 
dium. Although it might be convenient to speak an authentication response, speech 
recognition technology is still not reliable enough to correctly recognize all responses 
consistently, especially for unconstrained telephone speech (untrained speaker, unlim- 
ited vocabulary, random telephone line) [13], and for instances of high background 
noise. Therefore, basic interaction is by touch-tone key entry into an 1VR (Interactive 
Voice Response) system. 

Customer specification 5 allows the customer to speak authentication responses (in 
addition to keying them as just specified). However, the customer should not have to 
worry about an eavesdropper overhearing and using the information for attack. An 
example test of this is the following. A customer who works in an open office envi- 
ronment checks her financial information by phone each day. Specification 5 states 
that her office neighbors who can overhear these calls should not be able to learn 
information such as to subsequently impersonate her. A traditional voiced password 
would not meet this specification. 

As many as possible of the adjectives used in the requirements above, “difficult,” 
“easy,” “fault tolerance,” and “security strength” should be quantified. Security and 
convenience are not always measurable in an absolute sense, however we will attempt 
to compare relative merits among options below. 




Fig. 2. The four options for call center authentication are illustrated. Questions Q or question 
indices I(Q) are sent by the call center. Answers A or answer indices 1(A) are returned. 



3.2 Implementations 

We show four ways to implement QDP for call center authentication in Fig. 2 and 
describe these below. 
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3.2.1 Host Store - Basic. The basic host store implementation uses QDP alone in the 
procedure described in Section 2. This provides the least security among implemen- 
tations. The customer phones the call center and is connected with the IVR system for 
performing authentication. After identifying herself by keying in an identity number, 
the system asks a random subset of the customer’s enrolled questions. The customer 
responds by keying in the indices of chosen multiple-choice answers. If all of the 
answers are correct (or some pre-set portion of them), then the customer is suc- 
cessfully authenticated. 

The basic implementation has a number of vulnerabilities. One is that any attacker 
can learn some questions selected by the customer just by phoning the call center and 
entering that person’s (non-secret) identification number. After learning the questions, 
the attacker can make an effort to find the answers. So these questions become a 
standing target for an attacker. Another problem is the small keyspace. For example, 
if there are k = 4 questions with M= 6 multiple-choice answers each, this results in a 
keyspace of 6 4 =1296, which is guessable in 648 tries on average. This is not very 
strong security. Finally, personnel at the authenticating host can easily learn a cus- 
tomer’s information. Questions and answers cannot be hashed as for computer pass- 
words because (for one reason) a telephone has no computing power to perform this 
computation. They can be encrypted at the host, but are vulnerable when decrypted 
for use. 

Notwithstanding these problems, the basic implementation of QDP is more secure 
than traditional pull-type authentication. For a client-end attacker to expose the cus- 
tomer’s questions he could have the following strategy. Phone the call center to ex- 
pose the k questions that are asked for a single authentication session; and answer 
these with random guesses, likely failing authentication. Endeavor to learn the an- 
swers to these k questions offline. Phone again and answer any previously exposed 
questions to which he has learned the answers, and expose new questions. Continue 
this process until authentication is successful. If the total number of questions a user 
has selected is n, then the minimum (worst case) number of sessions to expose all 
questions is n/k. For «=15 and k= 4, the attacker would need at least 4 sessions to ex- 
pose all questions, and could successfully attack in the next session if he learned all 
the answers. We can prevent an attacker from being able to expose all the questions 
by freezing the account after some number of failed questions. If an attempted attack 
is suspected in this case, then the exposed questions can be retired from those selected 
by the customer. This cannot be done with traditional pull-type authentication, where 
the number of potential questions is either fixed or very small. 

The basic QDP scheme can prevent host-end personnel from learning questions 
and answers from one system, then using them on another. This is because questions 
are not as limited or few with QDP as traditional pull-type authentication. A customer 
can use a different set of questions and answers for different hosts. In contrast, there 
are a limited number of hosts where only mother’s maiden name, social security 
number, and date of birth can be used. 

3.2.2 Host Store Plus PIN. A weakness of the basic implementation is that an at- 
tacker can learn the customer’s questions merely by entering into an authentication 
session. We can defend against this vulnerability by asking for a PIN before relaying 
the questions. If the entered PIN is correct, the system asks k questions selected by the 
customer. If the entered PIN is incorrect, then the system still asks k questions, but 
these are not necessarily the customer’s selected questions but rather are a random 
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selection from the N questions in the QDP database. In this way, an attacker cannot 
first learn the PIN by brute force attack, and then independently expose the questions. 
By posing the selected questions depending upon the correct PIN, this increases the 
keyspace from 10 4 plus 1296 for a 4-digit PIN and for four questions, to 10 4 times 
1296, about 3 orders of magnitude greater. 

The drawback of requiring a PIN is that the customer will now have to memorize 
something, and if she forgets will not be able to access her account. This is where a 
QDP numeric question can replace a traditional PIN for the convenience of the cus- 
tomer. 

3.2.3 Host Store Plus Address. Instead of requiring the customer to use a PIN, we 
can keep the customer’s selected questions confidential in another way. When the 
customer wants to authenticate, the questions are sent only to a previously registered 
communications device. If the customer registers the home phone number, then the 
caller identification can be used for this. The same is true for a cell phone or the 
address of a pager or wireless PDA. The degree of security depends on how easily an 
address is spoofed and how exclusively a customer maintains the device. We have 
built an application where the questions are sent as a text message to a cellular phone. 
This has two advantages. One is that the questions are sent only to the registered 
personal device. The other is that a customer can visually read text far faster than 
waiting for the same questions to be spoken. 

3.2.4 Client Store. An inherent drawback to the host store QDP implementations 
described above is that they are vulnerable to host-side attack. An alternative to these 
is to store the questions not at the host but at the client. 

Three parties are involved for enrollment in this client store protocol: customer, au- 
thentication host (call center, in this case), and QDP question server. The enrollment 
procedure is as follows. The customer first accesses the QDP server, likely via the 
Web. This server contains a database of questions with multiple-choice answers. The 
questions have indices, q { , i = 1, N and the answers have indices, Oj, j = 1, M. 
The only peculiarity of this database is that question and answer indices are reordered 
in a random way for each enrollment session. That is, a particular question and par- 
ticular answer will likely have different indices for different visits to the database. 
The customer does not identify herself, but selects questions and downloads them to a 
file on her computer or prints them out. She mentally chooses answers to her selected 
questions - but doesn’t circle the answers or indicate them in any other way. The last 
step of the enrollment is for the customer to send to the authenticating host a file that 
contains the question indices and the customer’s chosen answer indices. 

The verification procedure is straightforward. The customer identifies herself 
whereupon the authenticating host queries the customer with randomly chosen ques- 
tion indices from enrollment. The customer looks up in her file what questions corre- 
spond to those indices and answers with the indices of her answers. If the customer 
answers all correctly, or a number within some pre-determined tolerance, then she 
successfully authenticates. 

The customer file is a rudimentary codebook. It contains a list of codewords, which 
are the question indices, and corresponding decoded “plaintext”, which are the answer 
indices. However, only one of the M answer indices per question is correct. The true 
codebook owner possesses the “key” to this codebook by having knowledge of the 
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answers to the questions. Therefore, to succeed at authentication, a person needs two 
things. One is the codebook and the other is the “key.” 

3.3 Security 

3.3.1 Implementation Comparisons. Table 2 shows how well the different im- 
plementations of Section 3.2 meet specifications of Section 3.1. 



Table 2. Shows how well different QDP call center implementations meet specifications listed 
in Section 3.1. A “Y” indicates that specification is met; “N” indicates specification is not met; 
” indicates specification is met under some circumstances and not under others. 





Host 

Basic 


Host + 
PIN 


Host + 
address 


Client 


Security Specifications: 










1 . resist client attack 


- 


Y 


Y 


Y 


2. resist host attack 


N 


N 


Y 


- 


3a. offer compromise detection 


N 


N 


- 


Y 


3b. offer compromise recovery 


Y 


Y 


Y 


Y 


4. resist denial of service attack 


N 


N 


Y 


Y 


5. offer adjustable security 


N 


Y 


Y 


Y 


Customer Specifications: 










1. convenient 


Y 


Y 


- 


- 
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3. fault tolerance 
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4. numeric keypad input 
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5. voice input without eavesdroppers 


Y 
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Y 


6. inexpensive 


Y 


Y 


- 
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The “host store - basic” implementation is the least taxing of the customer. If the 
user selects QDP questions that she can always remember, there is no extra effort 
needed. However, a major drawback of this implementation is that it has less resis- 
tance to client attack than the other implementations. This is because an attacker can 
learn the customer’s questions by phoning repeatedly, then either learning or guessing 
answers to these questions. 

The “host store plus PIN” implementation requires the next least effort of the cus- 
tomer. A drawback of this implementation is that, if an eavesdropper can hear a cus- 
tomer’s PIN, he can then obtain questions and attack the system in the same way as 
for the basic implementation. We can strengthen the host plus PIN implementation by 
requiring the PIN to be entered via the keypad and by using a number of QDP nu- 
meric questions that are chosen randomly across authentication sessions. 
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The “host store plus address” implementation requires the customer to have some 
device, whether home phone with Caller ID or cell phone. There is expense involved 
if the customer does not otherwise have one of these, and this requirement is poten- 
tially inconvenient because the user must have, or be at, this device when authenticat- 
ing. This implementation meets all security specifications except compromise detec- 
tion. 

The “client store” implementation compares well among these implementations. It 
has similar security to the “host store plus address” implementation, but a major ad- 
vantage is that it entails no device expense. Since this is a “what you know” and 
“what you have” combination, the customer will be inconvenienced if she forgets the 
paper or file on which the indices are written. It is vulnerable to a host attack because 
the host stores indices for each question and answer. However, indices can easily be 
changed periodically, and they are different for different hosts to reduce the danger of 
cross-host attack. 



3.3.2 Client Store Security. The client store implementation has some attractive 
properties of user convenience and security. We examine security of this scheme in 
more depth in this section. 

The client store verification procedure follows a challenge-response protocol. The 
server sends a challenge vector, which is a set of k question indices. The customer 
looks up each question by its index, chooses an answer, and returns the index of the 
answer. The customer returns k answer indices in total. A straightforward way to 
number the answer indices is sequentially from 1 to M for each multiple-choice ques- 
tion. However, if this is done, the potential answer keyspace is only M k . For example, 
for M= 6 choices and k = 4 questions, this is 6 4 =1296. A stronger security scheme is to 
use random numbers for the multiple-choice answer indices. Now, the answer 
keyspace can be arbitrarily high, with the tradeoff that the customer must enter longer 
numbers for each answer. For example, if each answer index is chosen randomly from 
the range [0, ..., 99], then the potential keyspace increases to 100 4 =10 8 ; if the range is 
[0, ..., 999], then the keyspace is 1000 4 =10 12 . 

If an attacker steals the wallet card containing the customer’s selected questions, 
then vulnerability increases. In this case, using random number answer indices adds 
nothing to the security strength because the attacker knows the potential answer index 
for each question. For M= 6 choices and k= 4 questions, the keyspace is 1296. How- 
ever, just like a physical house key, the wallet card provides evidence of compromise 
detection. When the customer finds it is missing, she should notify the call center of 
this, whereupon the current questions will be cancelled. 

We use the term, “poor man’s token” for the client store implementation in which a 
wallet card (or piece of paper) stores the questions and multiple-choice answers. Like 
using a more expensive challenge-response security token, a customer can receive a 
random number challenge and return the appropriate random number response. How- 
ever, there is one significant difference between the electronic token and the paper 
one. The electronic token has a very large number of challenges that it can respond to. 
Challenge numbers are typically 8 to 10 digit numbers, so the number of challenges is 
10 8 to 10 10 . In contrast, a wallet card holds n questions of which k of these are used in 
a session. There are n!/( n-k )! permutations of questions, which for «=15 and k = 4 is 
32,760. This is not a large number of challenges, but is likely to be large enough to 
defend against direct replay attacks given the low frequency of call center authentica- 
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tions per customer. The easier attack is if an eavesdropper can learn the discrete ques- 
tion indices and corresponding answer indices, then he can successfully impersonate 
the customer. The eavesdropper could learn all answer responses in as few as n/k 
sessions, or 4 sessions for our example. This attack can succeed if authentication is 
performed over a channel in plaintext. Telephone transmission is usually in plaintext, 
since the terminal has no computing power to perform encryption, however capture of 
an analog telephone transmission requires physical presence to tap the telephone line. 
In contrast, data network eavesdropping does not require physical presence. So, any 
transmission of authentication information via data channels should be encrypted. The 
SSL (Secure Sockets Layer) protocol is commonly used for communications between 
contact centers and customers on the Web. 



4 Conclusions and Future Work 

We can conclude from the implementations proposed and from the results of prelimi- 
nary user testing that the QDP approach to call center customer verification is promis- 
ing. However, since much of this work is for the purpose of improving customer con- 
venience, the real proof of this will only be found when the scheme is used in a full- 
scale system. We are in the process of implementing a version of the client store im- 
plementation for password recovery use within Avaya. This application has a call 
center component where users can obtain aid in recovering their password over the 
telephone. 

A number of areas require more investigation for this approach. One involves sta- 
tistics of the QDP multiple-choice questions. Specification 2 in Section 2.2 listed 
uniformity of the question and answer spaces and independence of answers to be 
important for discriminating among users. We have done smaller-scale tests on these 
statistics showing a fairly good spread of selections (to be reported in another paper). 
However, no question or answer spread will be perfectly uniform, so we are investi- 
gating different weighting schemes to identify and correct for questions and answers 
that may give an attacker advantage due to non-uniform selection. 

Another area of current work is important for the QDP numerical questions. Since 
the answers are open, we need a proactive method (such as in [14]) for recognizing 
“good” or “poor” answers. For example, the question, “What is my current telephone 
number?” is a poor question because an attacker can easily learn the answer. How- 
ever, the question, “What is Fido’s telephone number?” is a better question because 
an attacker would have difficulty associating a dog’s name with the owner’s tele- 
phone number. We are working on a method that employs information extraction 
techniques to search for question and answer associations in telephone directories and 
in general web searches, and prohibit a user from choosing questions that could be 
associated easily with answers by an attacker. 

There are other open issues that will become clearer with further testing, longer 
experience, and use in real applications. Memory recall has only been tested over 5 
months. Will users still recall their answers consistently over longer periods of time? 
Our current database of 200 questions was authored with some reading into the psy- 
chology of memory, however we are not experts in this area. Can questions be better 
designed? And, no security proposal is complete until opened to the security of secu- 
rity experts and the abuse of potential attackers. Will the QDP approach offer the 
combination of better convenience along with stronger security as proposed? 
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This paper investigates call center customer verification using an authentication 
scheme involving personal-knowledge questions, called Query-Directed Passwords 
(QDP). QDP is shown to differ from traditional personal-knowledge authentication 
schemes (e.g., “What is your mother’s maiden name?”) due to a QDP framework that 
adheres to strict requirements on the types, number, and use of questions. This 
framework provides stronger security while maintaining the inherent convenience of 
the traditional approach. Four implementations for call center customer verification 
are described here. These four implementations differ in how and where the QDP 
questions are stored. One of the most secure implementations involves a 3-party en- 
rollment protocol and client-side storage of the questions on a computer file or on a 
wallet-card. This offers the stronger security of a challenge-response protocol along 
with other advantages such as compromise detection and low cost. 
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Abstract. This is a brief summary of the invited lecture delivered dur- 
ing the conference. The interested reader is referred to [2] for more in- 
formation. 



1 Introduction 

In 1967, a group of French banks decided to offer a credit card service, under 
the form of a mere plastic card. The device was later enhanced with a magnetic 
stripe in 1971. Although magstripe cards display some cryptographic data, they 
are quite vulnerable: using rather simple equipment, it is possible to capture the 
encoded data and manufacture a fake card. 

In 1990, it was decided to improve the security of the card by adding a chip. 
Since november 1992, all cards issued by the French banks are chip cards. 

2 The Cryptography of the French Banking Cards 

Based on the chip, several mechanisms were introduced: 

1. PIN code verification, 

2. RSA authentication, 

3. (triple)-DES authentication. 

The PIN code is a four digit sequence that the card holder enters. It is verified 
either from its enciphered version present on the magnetic stripe, in which case 
both need to be sent to a data center by means of an on-line connection, or else 
by the chip itself. 

RSA authentication is based on an RSA signature of the card number and 
other related data. It is read from the chip and verified by the terminal at the 
point of sale. 

DES authentication is based on the result of a CBC-MAC computation on the 
transaction data, by means of a triple DES key which the chip holds. Although 
simple DES was used when chip cards were launched in 1990, it has now been 
abandoned and replaced by triple DES. Since verification requires knowledge of 
the card’s key, it can only be performed through an on-line connection. 
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In 1998, the “Humpich case” received wide coverage from the press, following 
an “experiment” demonstrating the use of a fake card at an off-line vending 
machine. Cryptographers will agree that the experiment did not show that its 
author was a genius: based on overoptimistic evaluations on the hardness of 
factoring (see e.g. [3]), the designers had originally chosen to use an RSA modulus 
of 320 bit only! RSA moduli now in use are over 768 bits, and quickly moving 
to 1024 bits. 

Following the above, it was understood that the security offered by the chip 
card in an off-line scenario was hampered by more subtle versions of the “yes 
card” fraud. Such cards return a yes answer when a PIN code is submitted and 
display a card number and RSA signature captured form a legitimate card. To 
counter the fraud, it is necessary to replace the “static” authentication offered 
by RSA signatures by a dynamic version based an a challenge/response mecha- 
nism. Such mechanism is offered as an option in the EMV standard [1], under 
the acronym DDA (Dynamic Data Authentication). Taking advantage of the 
adoption of EMV, it has been decided to implement DDA in the French banking 
cards. The author believes this is an unprecedented effort of using public key 
cryptography in mass devices. 



3 The Future 

With triple DES, RSA, and DDA on board, the French banking cards are reach- 
ing a high level of cryptographic sophistication. French people are usually sur- 
prised to discover that in most countries, credit cards have no chip... It is ex- 
pected however that chips will spread out, at least in Europe. Of course, the 
progress of the factoring algorithms is closely followed by the banks, and larger 
key sizes are bound to appear. Why not elliptic curves some day? 
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MasterCard provides internationally accepted debit and credit payment pro- 
grams. These programs provide cost-effective solutions that enable transactions 
to be performed in a wide variety of acceptance environments. 

Until now, to conduct payment transactions at a Point of Sale (POS) ter- 
minal, physical contact was required between the card and the terminal. This 
physical contact would be made by: 

— swiping a magnetic stripe (for magnetic stripe cards) 

— inserting a chip card into a reader (for contact chip cards). 

MasterCard is extending its product range to include “proximity technolo- 
gies” . These technologies enable terminals and cards to exchange data without 
physical contact. 

Proximity technologies include a wide variety of wireless technologies such 
as Radio Frequency IDentifier (RFID) transponders, Bluetooth, Infrared, Wire- 
less Fidelity (WiFi), and contactless chip cards (based on the ISO/IEC 14443 
standard) . Each of these technologies has a unique operational range and mode 
of operation. Depending on the technology used, cardholder devices can make 
payments at distances of up to 10 meters from the POS terminal. 

MasterCard PayPass is the first program to be implemented under the Mas- 
terCard Proximity Payments Program. MasterCard selected the ISO/IEC 14443 
standard for contactless cards. Using this technology, issuers can implement the 
standard in a card form that supports MasterCard or Maestro. MasterCard Pay- 
Pass transactions use the same MasterCard network messages, rules and policies 
as magnetic stripe or contact chip transactions. This means issuers can build on 
their existing network. 

A contactless card uses the electromagnetic field generated by the terminal 
to power its chip. Modulation of this electromagnetic field enables an exchange 
of data between the card and the terminal, typically up to a range of 10 cm (4 
inches) . 

MasterCard PayPass provides a simpler way to pay, and is ideal in pay- 
ment environments where speed and convenience are crucial, (for example, fuel 
pumps, vending machines, quick service restaurants, and convenience stores). 
MasterCard PayPass supports both magnetic stripe and contact chip acceptance 
environments. MasterCard will offer two PayPass implementation options, each 
of which is aimed at a specific target market: 
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— PayPass - Mag Stripe - this is aimed at the magnetic stripe market, comple- 
mentary to the magnetic stripe technology, and uses the current magnetic 
stripe processing infrastructure 

— PayPass - M/Chip - this is aimed at the contact chip market, comple- 
mentary to the contact chip technology, and uses the current contact chip 
infrastructure. 

The design of PayPass included a number of security features to mitigate 
the risk from new threats to the transaction integrity from the introduction of 
proximity technology. These include eavesdropping on transactions as well as 
remote “pickpocketing” of the card data. It also addresses measures to prevent 
the creation of counterfeit magnetic stripe cards, or the misuse of PayPass card 
data for e-Commerce transactions. 
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Abstract. Looking at current cryptographic-based e-voting protocols, 
one can distinguish three basic design paradigms (or approaches): (a) 
Mix-Networks based, (b) Homomorphic Encryption based, and (c) Blind 
Signatures based. Each of the three possesses different advantages and 
disadvantages w.r.t. the basic properties of (i) efficient tallying, (ii) uni- 
versal verifiability, and (iii) allowing write-in ballot capability (in addi- 
tion to predetermined candidates). In fact, none of the approaches results 
in a scheme that simultaneously achieves all three. This is unfortunate, 
since the three basic properties are crucial for efficiency, integrity and 
versatility (flexibility), respectively. Further, one can argue that a seri- 
ous business offering of voting technology should offer a flexible technol- 
ogy that achieves various election goals with a single user interface. This 
motivates our goal, which is to suggest a new “vector-ballot” based ap- 
proach for secret-ballot e-voting that is based on three new notions: Prov- 
ably Consistent Vector Ballot Encodings, Shrink- and- Mix Networks and 
Punch-Hole- Vector-Ballots. At the heart of our approach is the combi- 
nation of mix networks and homomorphic encryption under a single user 
interface; given this, it is rather surprising that it achieves much more 
than any of the previous approaches for e- voting achieved in terms of the 
basic properties. Our approach is presented in two generic designs called 
“homomorphic vector-ballots with write-in votes” and “multi-candidate 
punch- hole vector-ballots”; both of our designs can be instantiated over 
any homomorphic encryption function. 



1 Introduction 

There are three basic paradigms for cryptographic secure ballot elections. The 
first method is based on mix-networks where the tallying officials move the bal- 
lots between them and permute them in the process while changing their repre- 
sentation (e.g., partially decrypting them). Methods for doing this robustly and 
correctly have been designed in the last 20 years, starting with the initial work of 
Chaum [7]. In practical implementations, this approach in its fully robust form 
(i.e. , proving the correctness of the shuffling) is still considered a slow tallying 
process, even though there have been several steps toward more efficient designs, 
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see e.g. [33, 6, 20, 24, 1, 26, 18]. The second method is based on homomorphic en- 
cryption (started by Benaloh [9,4,3], and then followed by many other works 
including [12, 10, 35, 16, 13, 2]). In this general approach the ballots are encrypted 
and then “compressed” via a homomorphic encryption scheme into a tally. This 
compression property allows fast tallying, and is what makes this approach at- 
tractive. However the drawback is that pure “compressible” homomorphic en- 
cryption is not suitable to deal with write-in ballots. In fact, compression of the 
write-in ballots content is not possible since, information theoretically, if this 
content has no redundancy (which is always possible in the write-in ballots case) 
compression will ruin it. A third approach is based on blind signatures, [17], and 
relies on the voters obtaining a certified secret ballot from the authorities by 
employing the blind signature module. This enables them to embed any form 
of ballot (including write-in) . Subsequently, this approach requires the employ- 
ment of an anonymous channel between the voter and the tallying authorities, 
to hide the identity of the user at the “ballot casting stage.” This requirement 
may be inhibiting and thus people have suggested to combine this approach 
with the mix-net one so that the “anonymous channel” is implemented formally. 
Furthermore, while the previous paradigms support universal verifiability which 
assures robustness, this approach relies on tallier voter interaction and does 
not support it. 

In recent years, due to the aftermath of the USA 2000 presidential election 
debacle as well as other initiatives, e-voting technology has gained high level of 
interest (see [21]). One effort that took place is the joint Caltech-MIT electronic 
voting project. Rivest, who participated in this project, has raised the question 
whether it is possible to incorporate write-in ballots in homomorphic encryption 
based elections in a way that will still maintain its advantages and keep some of 
its computational gains. In fact, Rivest’s question raises the more general concern 
that the cryptographic paradigms optimize different goals, and business wise it 
may be smart to combine them under a single user interface and hope to retain 
some of their individual advantages and to try to gain more by a combinational 
approach. 

Homomorphic Vector-Ballot with Write-in Votes. Motivated by this ques- 
tion and issues, we started by attacking the problem of allowing write-in ballots 
as follows: since homomorphic encryption elections are based on a summation 
register (ciphertexts are modular-multiplied together which effectively sums-up 
the ballots under the encryption), write-in ballots need to be read individually. 

To incorporate a write-in choice into a homomorphic encryption based scheme, 
we suggest the design of a composed ballot or a “vector ballot” that is cast by 
each user, and is either a regular (predetermined candidate) ballot or a write-in 
one with indistinguishable external representation in either case. This is the base 
of the vector-ballot approach. This sounds simple, but if done in a straightfor- 
ward fashion this may give voters more “free choice” in ballot representation 
and in cheating, and it may also give more ways to distinguish between users’ 
ballots. Thus, this new design leads to new concerns regarding ballot validity 
and ballot uniformity. In particular, it leads us to the simple yet crucial notion 
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of provably consistent vector ballot encodings, which assures that in spite of the 
extended scenario the ballot is nevertheless legal, i.e. the voter is forced to ei- 
ther select a write-in, or a predetermined choice, but not both at the same time. 
Further, whenever the voter makes one of the two choices, she is forced to enter 
a “neutral” value in the other portion of the vector ballot. The added validation 
proofs by the voter makes the ballot longer, however this price (constant increase 
in validity proof) is reasonable given the enhancement (to be described below) 
it enables. The ballot representation looks the same regardless of whether the 
user votes for a predetermined candidate or casts a write-in ballot. After the 
ballot casting, the vector ballot is split into a “supposedly regular portion” and 
a “supposedly write-in portion” and they are processed (tallied) independently. 

What we have described so far is a combination of two voting approaches: 
homomorphic encryption based and mix-net based. While this is important (as it 
allows the unification under the same user-interface of the efficient homomorphic 
encryption based voting with the write-in “friendly” mix-net voting), by itself 
the resulting scheme as a whole is not more efficient than the two individual 
approaches (and clearly the real bottleneck is the slow tallying robust mix-net 
approach) . 

It is thus, perhaps surprising that our approach that is based on the vector 
ballots has the potential to achieve more efficient tallying than any previous 
proposal for e- voting that allowed write-in ballots and is universally verifiable at 
the same time. The two major points that allow this are explained below: 

1. The predetermined candidate portions of all ballots can be compressed using 
the efficient homomorphic encryption based tallying. 

2. The write-in portions of all ballots are based on an indicator and a write-in 
portion. Based on such indicators we show that they can be processed using 
the new efficient method of shrink- and-mix that we propose. The method 
takes advantage of the fact that the vector ballots are based on homomorphic 
encryption and the fact that, usually, most of the voters select one of the 
predetermined candidates. Thus, using the compressibility of indicators we 
can eliminate a great number of unused neutral write-in portions. We note 
that in a typical scenario, the method achieves a five-fold improvement over 
stand alone mix-network based election (and this will be a noticeable factor 
in practice, since the gain is within the system’s performance bottleneck 
component) . 

Further, the two tallying procedures above are independent. Thus, the tal- 
lying can be performed in two phases. An on-line phase can just perform the 
homomorphic encryption tallying process of the predetermined candidate por- 
tions. This is a very efficient mechanism. In most cases the actual tally and 
winner(s) can be declared based on the these regular votes only and the slower 
tallying of the write-in portions can, in this case, be done off-line and a later 
time. Typically, the winner will be one selected among the leading predetermined 
candidates of the established parties, whereas, say, Mickey Mouse (a popular 
write-in candidate in US elections) can afford waiting a bit longer till he knows 
the actual number of votes he won. 
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The above is the first construction within the vector-ballot approach. It shows 
how we achieve simultaneously the basic properties of universal verifiability and 
support for write-in ballots together with an efficient tallying procedure. Com- 
parison to previous election paradigms is given in Figure 1. 

Multi-candidate Punch-Hole Vector-Ballot. A modular extension of our 
new approach employs our notion of punch-hole vector ballots which enables 
a more suitable scheme for voting with a large number of predetermined can- 
didates. It extends the functionality of our vector-ballot encodings (and thus 
write-ins can still be incorporated). The method introduces a multitude of c 
summation ciphertext registers, one per candidate, while earlier schemes packed 
all the candidate tallies into a single summation register. Note that the vector 
ballot portions in the ballot design correspond to various candidates and to the 
corresponding summation registers. Note further that a ballot needs to have a 
consistent valid encoding and the voter has to prove this validity. This is different 
from the simplistic multi-election ballot in [4]. 

Employing separate registers relaxes the burden of participants by allow- 
ing them to deal with smaller ciphertexts. The gain is especially noticeable in 
case of many candidates. To formalize the ciphertext summation register size re- 
quirement, we introduce the notion of “capacity” of an homomorphic encryption 
function, which measures how many integers can be represented as plaintexts 
within a given summation register. Our punch-hole vector ballot design requires 
the capacity of the underlying encryption to be only n (the number of vot- 
ers), instead of n c required for a single summation register used previously. In 
fact, all leading proposed election methods in the literature that employ sum- 
mation registers, [10,16,13], and allow for n voters and c candidates, indeed, 
require capacity of n c . Note that this may cause problems in selecting the secu- 
rity parameter when the number of candidates is very large: e.g., if the security 
parameter is 768 bits, this restricts the capacity to 2 768 , and if the number of 
candidates is large, e.g. c = 50, and the voting population close to 35, 000, then 
the capacity cannot contain the summation register. 

An important and substantial gain in efficiency of tallying, results from the 
new approach when applied over the ElGamal encryption. The recovery of the 
final tally requires only time 0(cn ) which is polynomial in the number of candi- 
dates, instead of 0(n c ) which is exponential in c, as is the case in the state of 
the art discrete-log based scheme of [10]. We remark that this exponential gain 
is traded against a quadratic - rather than linear - (in c) work done for validity 
checking of ballots; this is a reasonable price to pay for such a gain. 

2 Preliminaries 

Requirements for Voting Schemes. A voting-scheme needs to fulfill a va- 
riety of requirements. A brief presentation of these requirements follows. 

Secrecy. Ensures the security of the contents of ballots. This is typically achieved 
by relying on the honesty of a sufficient number of the participating authori- 
ties and at the same time on some cryptographic intractability assumption. In 
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Fig. 1 . A comparison of our new approach with previous work with respect to the 
following three important properties: (i) efficient-tallying: tallying does not require the 
application of a robust-mix to the total number of ballots; (ii) universal-verifiability: 
any interested third party may verify that the election protocol is executed correctly; 
(iii) write-ins: voters are allowed to enter write-in votes 



particular, any polynomial-time probabilistic adversary that controls some arbi- 
trary number of voters and a number of authorities (below some predetermined 
threshold) should be incapable of distinguishing which one of the predetermined 
choices a certain voter selected or whether the voter entered a write-in. In all 
voting schemes, once a certain number of votes have been aggregated into a 
partial tally, secrecy is not mandatory, e.g., once the votes of a precinct have 
been aggregated it is ok to reveal the partial tally (in fact in many cases it is not 
even desired to keep the partial tallies secret, if some regional statistics are to be 
extracted from the election results) . Thus, voter secrecy will have an associated 
Privacy Perimeter b which will refer to the smallest number of votes that need 
to be aggregated into a partial tally before some information about the partial 
tally can be revealed; we will talk of secrecy with 6-perimeter in this case. A 
more formal discussion of secrecy is deferred to the full version of this paper. 

Universal- Verifiability. Ensures that any party, including an outsider, can be 
convinced that all valid votes have been included in the final tally. 

Robustness. Ensures that the system can tolerate a certain number of faulty 
participants. 

Fairness. It should be ensured that no partial results become known prior to 
the end of the election procedure. 

Another property, which we do not deal with here explicitly, is Receipt- 
Freeness [5,34,27,22,25]. Standard techniques that use re-randomizers (see 
e.g. [2]) can be readily employed in our schemes to allow this property. 

Homomorphic Encryption Schemes. An encryption scheme is a triple (1C, £, 
T>). The key-generation K, is a probabilistic TM which on input a parameter 1“" 
(which specifies the key-length) outputs a key-pair pk, sk (public-key and secret- 
key respectively). The encryption function is a probabilistic TM £ pk :IxP-^C, 
where R. is the randomness space, P is the plaintext space, and C the ciphertext 
space. When P = Z a for some integer a, we will say that the encryption function 
has “ additive capacity ’ (or just capacity) a. The basic property of the encryption 
scheme is that V s ^(£ s ^(- ,x)) = x for all x independently of the coin tosses of the 
encryption function £. If we want to specify the coin tosses of £ we will write 
£ p w(r, x) to denote the ciphertext that corresponds to the plaintext x when the 
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encryption function £ p k makes the coin tosses r. Otherwise we will consider £ p y(x) 
to be a random variable. For homomorphic encryption, we assume additionally 
the operations +, ©, © defined over the respective spaces P, R, C, so that (P, +), 
(R, ©}, (C,Q) are groups written additively (the first two) and multiplicatively 
respectively. 

Definition 1. An encryption function £ is homomorphic if, for all r\,r 2 £ R 
and all X\,X 2 £ P, it holds that £ v y(r\,x\) Q£ p k(r 2 , £ 2 ) = £ p k(?T © i" 2 , x\ + £ 2 ). 

We will consider two examples of Homomorphic Encryption schemes: “addi- 
tive ElGamal” and Paillier Encryption. Both have been employed in the design 
of e-voting schemes in the past, see [10] and [13, 2] respectively (which are also 
the current state-of-the-art schemes in the homomorphic encryption based ap- 
proach). We define them below: 

Additive ElGamal Encryption. It is defined by a triple (1C, £,T>): the key-gener- 
ation K, outputs the description of a finite multiplicative group Q of prime order q, 
with three generators (g, h, f) which are set to be the public-key of the system 
pk; the secret-key sk is set to the value log 9 h. For a public-key ( g , h, f) the 
encryption function £(r, x) equals the tuple ( g r , h r f x ), and the domains P := Z g , 
R := Z g and C := Q x Q. The operations +, © are defined as addition modulo 
q and the operation Q is defined as point- wise multiplication over Q x Q. The 
decryption function T> for a secret-key log 9 h given (G, H) it returns H/G l ° s f h , 
and then it performs a brute-force search over all possible values f x to recover x. 
Observe that (P, +), (R, ©) and (C, ©) are all groups, and the encryption £ is 
homomorphic with respect to these operations. Finally notice that the capacity 
of £ is q. 

Paillier Encryption. [28]. It is a triple (K.,£,T>), defined as follows: the key- 
generation K, outputs an integer TV, that is a product of two safe primes, and 
an element g £ Z^ 2 of order a multiple of TV. The public-key of the system 
pk is set to ( g , TV) and the secret-key sk is set to the factorization of TV. For 
a public-key ( g,N ), the encryption function £(r,x) equals the value (^©(mod 
TV 2 ) and the domains P := Zjv, R := Z^- 2 , and C := h* N2 . The operation 
+ is defined as addition modulo TV, and the operations ©,© are defined as 
multiplication modulo TV 2 . The decryption function T> for a secret-key p , q it 
operates as follows: first it computes A := A(TV) the Carmichael function of 
TV, and given a ciphertext c, it returns L(c A (modTV 2 ))/L(c/ A (modTV 2 )) where 
L(u) = and L is defined over the set of integers {u \ u = l(modTV)}. Again, 
observe that (P, +), (R, ©) and C, Q) are all groups, and the encryption £ is 
homomorphic with respect to these operations. Finally notice that the capacity 
of £ is TV. 

Proofs of Knowledge. Proofs of knowledge are protocols between two play- 
ers, the Prover and the Verifier. In such protocols there is a publicly known 
predicate Q for which the prover knows some witness x, i.e. Q(x) = 1. The goal 
of such protocols is for the prover to convince the verifier that he indeed knows 
such witness. We will concentrate on “3-move” protocols for which the prover 
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acts in the first and third move, and the verifier challenges in the second move 
with a random value from the proper domain (see [11]). Conversations in such 
protocols will be of the form (a, c, r), and the verifier will accept provided that 
a , c, r satisfy some conditions given as part of the specifications of the protocol. 
Proofs of knowledge can be made non-interactive by employing the Fiat-Shamir 
heuristics, [15] (and then, security is shown in the random-oracle model, or al- 
ternatively assuming a beacon, [32]). If the predicate Q accepts a non-interactive 
zero-knowledge proof, and an agent possesses a witness for Q that he wants to 
prove knowledge of, we will say that the agent “writes a proof for Q.” Proofs of 
knowledge of the above type can be combined in “AND” and “OR” fashion in 
an efficient manner. 

Proofs of Knowledge for Homomorphic Encryption. Let (1C,£,V) be 
a homomorphic encryption scheme. Below, we identify useful proof protocols 
(which have been used in various settings and environments). 

Proof of Knowledge of Properly Formed Ciphertext for a Public Plain- 
text. A useful proof of knowledge in the context of e- voting is a proof that shows 
that a ciphertext that encrypts a publicly known plaintext is properly formed. We 
define the predicate Q™ p l er as follows Q('' p ^ r (r) = 1 if and only if £ pk (r, m) = V. 
We remark that proofs of knowledge for the two homomorphic encryptions that 
we consider here (additive ElGamal, and Paillier) are standard and can be done 
efficiently. 

Proof of Knowledge for a Random Shuffle. Observe that using a homomor- 
phic encryption scheme one can “re-randomize” a ciphertext C by computing 
C' := £ p k(0) O C (i.e., C' is uniformly distributed over all ciphertexts that corre- 
spond to the plaintext of C). Suppose now that C\, . . . , Ck is a sequence of cipher- 
texts and C[, . . . , C' k is a random re-encrypted permutation of these ciphertexts. 

We define a predicate Q^ h 1 u f fle Ck ’ Cl ’'"’ Ck so that <3^ 1 u ffi e ’ C ' fc ’ C ' 1 ’’”’ Cfc (o, • • • , r fc , 7 r) = 
1 if and only if C l 7r(j) = f pk (r 7 -,0) O Cj, for j = 1, . . . , k. 

A straightforward approach for a proof for Q^ff^ Ck,Cl, '"’ Ck would require 
0(k 2 ) space. Discovering more efficient proofs is a very active area of research 
(as such proofs constitute the basic operation of a robust mix-network, a fun- 
damental primitive for elections based on mixes) and several papers provided 
sophisticated techniques of shortening the proof as well as relaxing the robust- 
ness model to allow more efficient implementations, [20,24,26,18]. Two of the 
most efficient recent protocols are that of [18] and [26], that allow 0{k )~ size 
proofs with relatively small constant. 

Threshold Homomorphic Encryption Schemes. A (t, m)-threshold homo- 
morphic encryption scheme is a triple (/C, £, V) so that /C is a protocol between 
a set of participants Ai, ... , A m , that results in the publication of the public- key 
pk and the sharing of the secret-key sk so that any t of them can reconstruct 
it. Additionally, V is also a protocol between the participants Ai, . . . ,A m that 
results in the decryption of the given ciphertext in a publicly verifiable manner 
(i.e. each participant writes a proof that he follows the decryption protocol ac- 
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cording to the specifications). Both Additive ElGamal and Paillier encryptions 
have threshold variants, see [30,31, 19] and [16, 13] respectively. 

3 The Vector Ballot Approach 

The participants in our schemes are the voters Vi , . . . , V n , the authorities Ai, , 
A m , and the bulletin board server which is responsible for maintaining an au- 
thenticated communication transcript. Voter eligibility as well as basic ciphertext 
processing operations are also handled by the bulletin board server. Our voting 
approach is divided in four major steps: Setup, Ballot-Casting, Tallying, 
Announcement of the Results. 

In our approach, every encrypted ballot is in fact a “vector-ballot” that has 
three coordinates: the first is a ciphertext that contains possibly one of the pre- 
determined election choices, the second is a flag-ciplrertext that encrypts the 
information whether the voter selects a write-in choice or not; finally, the third 
coordinate possibly contains a write-in choice. A proof of “consistent ballot en- 
coding” will be broken into a number of “consistency arguments” and will ensure 
that the vector ballot is formed properly (i.e. , it either contains a predetermined 
choice in the first coordinate or a write-in choice in the last coordinate and fur- 
thermore the “flag” value is encrypted consistently) . The tallying phase has two 
independent phases: (i) tallying the non-write-in election results using the ho- 
momorphic encryption function properties; (iia) shrinking the number of write- 
in votes using the flag-ciphertexts; (iib) employing a mix-net over the shrunk 
write-in ballot sequence. The general overview of these procedures is presented 
in Figure 2. We describe our approach in detail in the following subsections. 




Fig. 2. The Vector-Ballot E- Voting Paradigm 
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3.1 Setup and Capacity Assumption 

In our approach we will employ a threshold homomorphic encryption function 
(JC,£,T>). We will also employ the necessary assumption regarding the capacity 
of the encryption function: 

Capacity Assumption. The capacity of the encryption function satisfies a > 
M c where c is the number of candidates, and M an integer with M > n (the 
number of voters) . 

Setup. The authorities Ai, , A m execute the protocol K. which results in the 
publication in the bulletin board of the public- key pk. At the same time the 
secret-key sk is shared amongst the authorities A \ , . . . , A m . 



3.2 Ballot-Casting Step 



Each eligible voter gets authorized to the bulletin board and reads the public-key 
pk of the system. The set of choices is defined as Choices := {1, M, M 2 , . . . , M c ~ 1 } 
where M is an integer with the property M > n. 

Formation the Vector-Ballot. Each voter V) publishes a vector ballot {C\ [i] , C 2 [*] , 
Cffi}). If the voter wishes to select one of the predetermined choices of the 
election she selects C\ [i] to be an encryption of one of the values in the set Choices 
while C2 [i] , C3 [i] are encryptions of 0; in particular C\[i] := £ p k(M A_1 ) where 
ii € {1, . . . , c} is the personal choice of the voter, and C'2 [*] := £ p k(0), Cffi] := 
£ p k(0). If the voter wishes to enter a write-in ballot she selects C\[i] to be an 
encryption of 0, C 2 [i] to be an encryption of 1, and C3 [i] to be an encryption of 
some string string, which is the voter’s write-in entry. Formally, C\ [i] := £ p k(0), 
C 2 [i] := £ p k(l) and Cz[i] := £ p k(string, ; ). Together with her vector ballot the voter 
must publish a proof of “consistent ballot encoding.” In particular V) writes a 
proof for the following predicate: 
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The above proof can be done efficiently as discussed in section 2, since it 
is an AND / OR composition of the proof of knowledge for the predicate Q”' p ^ r 
which can be done quite efficiently for either of the two homomorphic encryption 
functions that we consider. Moreover it only adds a small constant overhead 
compared to proofs of previous homomorphic-encryption based voting schemes. 

Regarding the above proof of consistent ballot encoding it is easy to prove 
the following lemma: 



Lemma 1. The only ballot encodings for (Ci[i], C2 [*] , C3W) allowed are: 

(i) The second ciphertext encrypts a 0, the first ciphertext contains a value 
from the set Choices and the third ciphertext encrypts a 0. 

(ii) The second ciphertext encrypts a 1, the first ciphertext encrypts a 0 and 
the third ciphertext is unrestricted. 
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3.3 Tallying Step 

The Non-write-in Part. The vector ballots are parsed so that the first com- 
ponent is collected and the sequence of ciphertexts C\ [1] , . . . , C\ [n] is formed. 
The “tally ciphertext” is defined as C ta iiy = C\ [1] O . . . O C\ [n\. It is easy to 
see that due to the homomorphic property and the capacity assumption, Ctaiiy 
is a ciphertext that hides a value T that satisfies T = Yiev M e * (as an integer), 
where V C {1, . . . , ?r} is the set of voters that did not select the write-in option. 
Observe that if ko, ... , k c - 1 are the tallies won by each of the c candidates, it 
holds that T = + k\M + . . . + k c -\M c ~ l , and ko, ■ . ■ , fc c _i < M, i.e., if we 

write T as an integer in base M we can obtain the counts for each candidate. 

Dealing with the Write-Ins — Shrink-and-Mix Networks. Write-in ballots 
are not “compressible” into a single ciphertext like regular ballots and thus they 
have to be mixed and revealed one by one. Nevertheless our approach allows for 
a significant efficiency improvement that we call a Shrink-and-Mix network. 
A shrink-and-mix network for voting is a mix-network that attempts to shrink 
the input ballot sequence prior to the mix procedure in order to gain efficiency. 
(Indeed gaining efficiency in settings where it is possible is crucial, given the state 
of the art of Mix networks, see [20]). Shrink-and-mix is a concept that naturally 
binds to our approach that combines write-in ballots with regular homomorphic 
encryption based e-voting. This is because in our approach the following unique 
properties are true: 

1. Most voters will not cast a write-in ballot, but rather select one of the pre- 
determined choices of the election. 

2. There is a way to employ the homomorphic properties of the encryption 
function to test whether a small batch of encrypted vector ballots contains 
a write-in without violating the privacy of the voters (given security perime- 
ter b). 

3. There is a way to find the exact number of write-in votes prior to opening 
them, without violating the secrecy of the voters (given security perimeter b ) . 

Justification. For item 1 , observe that in most settings the write-in option will 
be used sparingly by the voters who will typically select one of the predeter- 
mined candidates for the election. For item 2, recall that in the vector-ballot 
approach, each vector ballot {C\[i}, Cz[i\, C^fi]) contains a “flag-ciplrertext” (the 
value C^fi]) that encrypts the value 0 or 1 depending on whether the voter 
voted with one of the predetermined choices (in Ci[i]) or entered a write-in (in 
C$[i\). Suppose now that we have a set of voters and we want the 

authorities to check whether one of them entered a write-in without violating 
the privacy of the voters. Then, simply the authorities collect the flag cipher- 
texts from the vector ballots of these voters C^i], ■ ■ ■ , Cbpif,] and decrypt the 
ciphertext := C2 [i 1 ] O • • • O C*2 [*fe] - Now observe that the decryption of 

Cii,...,ib is the number of write-in votes entered by the voters {*!,...,*&} and 
thus the authorities are capable of deducing whether there is a write-in entry 
among the ciphertexts {C3 [ii] , . . . , C3 [«b] } - 
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For item 3, observe that the ciphertext := C 2 [1] O ■ • • O C 2 [n] is 

an encryption of the number of write-in votes. Thus if the authorities wish to 
find efficiently the exact number of write-ins they have to compute Gy...^ and 
decrypt it (recall that linear computations in the number of voters constitute 
practically optimal complexity for the tallying phase). 

Given the above properties we can now describe the shrink-and-mix method 
which is divided in two separate stages (perhaps not surprisingly named): (a) 
shrink and (b) mix. 

Shrink Stage. First we describe the shrink stage in detail below: 

Functionality Input : the sequence of all vector-ballots. Let V C {1, . . . , n} be 
the subset of voters that entered a non-write-in ballot and denote by V' the set 
{1 , ,n} — V (the subset of voters that entered a write-in). 

Output: a set V* such that V' C V* C {1, . . . , n}. 

Initialize. The authorities A\, . . . ,A m compute the number of write-ins h 
(feasible by item 3 above). Let p denote the probability that an arbitrary voter 
enters a write-in defined as p := h/n. Let b be the desired privacy perimeter for 
the elections. 

Shrink. Let er := (^[l], . . . , C 2 [n]) be the sequence of the second components 
of all ballot vectors and let V* initially defined to {l,...,n}. The authorities 
divide <7 into n/b batches so that each batch contains b ciphertexts. Since the 
probability of an arbitrary voter to enter a write-in is p it follows that the 
probability that a batch contains no write-in is (1 — p) b . The authorities test 
whether each one of the n/b batches contains a write-in or not (as described 
in the item 2 above). If the batch of flag-ciplrertexts that corresponds to the 
voters { ii , . . . , ib} does not contain a write-in we modify V* = V* — {ii, . . . , if,}. 
Assuming that each batch is independent from the other, it follows that the 
expected number of batches without a write-in is ^(1 — p) b , so the expected size 
of V* will be n — n(l — p) b . Observe that the correctness of the shrink stage (i.e. 
V' C V* C {1, . . . , n}) follows easily. The closeness of V* to V' can be calibrated 
by lowering the parameter b. 

Mix Stage. The mix-stage follows. 

Functionality Input: A sequence of ciphertexts cr* := , where 

n* = \V*\, V* is the output of shrink and (G[l], . . . , G[n*}) = (V-jfi] | i € V*). 
Output: a sequence of ciphertexts {G'\I\)i— so that there is a permutation 

7T on {1, . . . , n*} that satisfies G'[i] is a random re-encryption of G[7r(i)]. 

Mix. The authorities A\, . . . , A m execute a “robust mix” for the sequence of 
ciphertexts a* = (G[l], . . . , G[n*]). This can be accomplished by employing any 
existing robust-mix method, [20, 24, 26, 18] . The most straightforward robust mix 
technique has each authority re-encrypting each ciphertext G[i\ and permuting 
the whole sequence randomly to obtain the sequence (G'[l], . . . , G'[n *]) and also 
writing a proof for ’ G ^ ^’ G M’ "’ G ^ n \ Note that authorities perform the 

above steps in sequence by acting on the output of the previous authority. 




The Vector-Ballot e- Voting Approach 



83 



We remark that robust mixes are expensive in terms of computation and 
space, for this reason the shrink stage that our model allows can be crucial for 
the improvement of the efficiency of the mixing. The shrink ratio for a shrink- 
and-mix network is the expected reduction percentage of the given sequence of 
ciphertexts (Cz[i\)i<zv* i.e., the fraction (n— \V*\)/n. Observe that it holds that 
(n — \ V*\)/n = (1 — p) b and thus the shrink ratio equals is (1 — p) b (employing 
average-case analysis) . To illustrate the gain we obtain using the shrink-and-mix 
network consider the following scenario: in many elections it is reasonable to 
expect a write-in probability 1/100, so by setting the privacy perimeter b = 20 
(which is reasonable for the privacy of the voters in most settings) we obtain 
a shrink ratio of approximately 0.81, which means that 81% of the ciphertexts 
will be discarded prior to the execution of the robust mix. This translates to a 
significant gain in the efficiency of the mixing procedure. 



3.4 Announcement of the Results 

First the authorities announce the results for the non- write-in part of the election 
(in fact, this step can be performed prior to the execution of the shrink-and-mix 
network). The authorities A \, . . . , A m execute the protocol V on the ciphertext 
Ctaiiy to reveal the the value T. Due to the properties of the value T it holds that 
if T, as an integer, is written in base M, then the tallies for each candidate are 
revealed (cf. section 3.3); note that due to the capacity assumption there will be 
no wrap-arounds during the computation of the tally ciphertext C t3 \\ y . 

Subsequently the authorities execute the shrink-and-mix network (and fre- 
quently this will be done after the winner of the election is already determined 
from the non-write-in votes) and then they execute the protocol T) for each of 
the ciphertexts G*[l], . . . , G*[n*] that belong to the output of the shrink-and- 
mix network. This will reveal all the strings stringy for i £ V*, where V* is the 
output of the shrink stage. Since V' C V* C {1, . . . ,nj all entered write-ins will 
be revealed (with, perhaps, a number of 0’s that correspond to the ciphertexts 
that were entered by the voters in V* — V'). When string,; = 0 the entry will be 
removed from the write-in vote listing (recall that “0” is not considered a valid 
write-in vote). The final elections results consist of the counts for each of the 
pre-determined candidates as well as counts for the write-in selections. 

3.5 Properties of the Paradigm 

Efficiency. First note that our vector-ballot approach can be readily instan- 
tiated over the two homomorphic encryption functions (additive ElGamal or 
Paillier) that we describe in section 2. 

The Voters ’ Perspective. The activity of each voter in the vector-ballot approach 
includes the following operations: after the setup phase each voter must be au- 
thenticated to the bulletin board server. The bulletin board server maintains 
the listing with all eligible voters. After authentication, the voter reads from the 
bulletin board the public-key of the authorities and all other information that is 
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pertinent to the election, i.e. , the listing of predetermined candidates. The voter 
privately decides on one of the predetermined candidates or to a certain write-in 
choice and publishes her encrypted ballot which consists of the three ciphertexts 
as described in section 3.2. Further she needs to publish the proof of consistent 
ballot-encoding. This is done by writing in the bulletin board the non-interactive 
zero-knowledge proof as described in section 3.2. This proof has size linear to 
the number of predetermined candidates and can be generated very efficiently 
for the two homomorphic encryption schemes that we consider. 



The Authorities’ Perspective. The work of the authorities is divided in two sep- 
arate stages, (i) Before ballot-casting the authorities execute the Setup stage 
of the election that requires them to run the key-generation protocol of the em- 
ployed threshold homomorphic encryption scheme, (ii) After the ballot-casting 
phase the authorities proceed to the tallying phase. The aggregation of the non- 
writein part of voters’ encrypted ballots is a linear operation in the number of 
voters that employs the homomorphic property of the underlying encryption 
scheme. Observe that this task can be arbitrarily distributed to any number of 
entities. Given the aggregated ciphertext the authorities decrypt it by execut- 
ing the decryption protocol of the underlying homomorphic encryption scheme; 
this reveals the counts for the predetermined candidates. It is highly likely that a 
winner of the election can be already determined at this stage. Subsequently, the 
authorities execute the shrink-and-mix protocol. This requires the authorities to 
execute a robust-mix protocol, but only over the encrypted writein ballots that 
remain after the shrinking phase. The shrinking phase by itself is efficient as it 
is only linear in the number of encrypted ballots. Subsequently the execution 
of the robust-mix is performed in the shrunk writein encrypted ballot sequence 
which allows a significant gain as it is argued in section 3.3. Furthermore any 
robust mix can be used in a black-box fashion by our shrink-and-mix method; 
thus we can take advantage of any sophisticated robust shuffling protocol, e.g. 
the schemes of [20, 24, 26, 18]. 

Comparison to Previous Work. We first observe that the efficiency of our 
scheme is comparable to previous approaches in the homomorphic encryption 
based election. In fact the only difference is the small constant overhead that 
is introduced in the part of the voter since she has to provide a proof of a 
consistent ballot encoding. In previous homomorphic encryption based solutions 
the “proof of ballot- validity” is also linear in the number of candidates; note that 
this cannot be improved further if we use encrypted-ballots coupled with a “1- 
out-of-c” non-interactive zero-knowledge proof (which has by definition length 
linear in c). Going beyond the homomorphic-encryption approach, our approach 
allows the incorporation of writein votes. In this respect, we first observe that 
our schemes achieve universal- verifiability, unlike the previous writein approach 
based on blind signatures. When compared to the mix-network approach, we 
also employ a “robust-mix” but we do so with a significant gain compared to 
the previous mix network protocols: indeed since the great majority of the voters 
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will not cast a write-in vote, our shrink- and-mix approach will achieve a five-fold 1 
improvement in many typical scenarios. This is a very significant improvement 
in any practical implementation. 

Security. Regarding the security properties of our scheme we make the following 
claim: The e- voting approach described above satisfies secrecy with 6-perimeter, 
universal-verifiability, robustness and fairness provided that (i) less than t au- 
thorities are malicious, (ii) the underlying homomorphic encryption scheme is 
semantically secure, (iii) participants can consult a beacon for the purpose of 
generating challenges for the zero-knowledge proofs. 

Justification. First we argue about Universal-verifiability: a third party auditor 
can verify that all votes have been counted by performing the following three 
steps: (i) verifying the non-writein part: the auditor recomputes the tally ci- 
phertext Ctaiiy from the first portion of every voter’s vector-ballot and verifies 
that the authorities decrypted C t3 \\ y properly by checking the non-interactive 
zero-knowledge proof of decryption; (ii) verifying the shrinking phase: the audi- 
tor recomputes all ciphertexts that were used in the shrinking stage of 

the shrink-and-mix network and verifies their decryption as in (i). (iii) verify- 
ing the robust mix: the auditor checks all mixing proofs given by the shuffling 
authorities during the mixing procedure. Regarding fairness, we observe that 
no partial sum can be revealed to any third party due to the semantic-security 
of the homomorphic encryption function and the zero-knowledge properties of 
the proofs of consistent ballot encodings. Regarding robustness observe that it is 
guaranteed unconditionally for voters: any eligible voter may fail without having 
any impact on the protocol; furthermore, any number of authorities below the 
threshold t may fail without affecting the protocol. Note that we do not deal 
with failures explicitly affecting the bulletin board server which is a formalism 
used in a black-box fashion in all the cryptographic e- voting literature, [3]. Fi- 
nally, secrecy with 6-perimeter of our scheme is justified based on the semantic 
security of the underlying homomorphic encryption scheme. A formal treatment 
of the security properties is deferred for the full version of the paper. 

4 Punch-Hole / Write-In Ballots 

In settings where the number of candidates c and the number of voters n is 
large it could be the case that it might be detrimental (in terms of efficiency) 
to use any scheme based on the homomorphic encryption approach ([10, 16, 13]) 
as well as our approach of the previous section. This is because the capacity 
assumption (employed by all the above protocols) mandates that the capacity 
a of the encryption function satisfies the condition a > n c . Even worse if the 
additive ElGamal instantiation is used (as e.g. in the case of the scheme of [10]) 
the tallying phase would require a brute-force step proportional to n c which is 
very expensive. For such cases we introduce an alternative generic vector ballot 

1 Assuming writein probability of 1/100, see section 3.3. 
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design for our e-voting approach that is capable of dealing with such settings 
very efficiently. In the variant of our approach of this section, the ballot of each 
voter consists of c + 2 ciphertexts (instead of 3) and the only allowed ballot 
encodings are the following (i) encrypt a single “1” in the first c ciphertexts and 
“0” everywhere else, or (ii) enter a write-in ballot in the last ciphertext, encrypt 
a “0” in the first c ciphertexts and encrypt a “1” in the (c + l)-th ciphertext 
(which plays the role of the “flag-ciphertext”). The encoding can be thought 
of as “punch-hole/ write-in” voting because the voter either “punches” a hole 
in the first c locations (by voting “1”) or enters his write-in choice in the last 
location. In the remaining we briefly explain the approach, mentioning only the 
cases where there is significant difference from our paradigm of section 3. More 
details will be provided in the full version. 

First we note that the capacity assumption will be relaxed as follows: 



Relaxed Capacity Assumption. The capacity a of the encryption function 
satisfies a > n (the number of voters). 

Formation the Vector-Ballot. Each voter V publishes a vector ballot (Ci [i] , C 2 [*] , 
. . . , C c+ \[i], C c+ 2 [i})- If the voter wishes to select one of the predetermined 
choices {1, . . . , c} of the election she selects [i] := £ pk (l), where V € {1, . . . , c} 
is her choice, and then sets C(,[i] := £ p k(0) for all £ £ {1, . . . , c + 2} — {£i}. On 
the other hand, if the voter wishes to enter a write-in she selects C c + 2 [i] := 
f p k(string i ) where string, is her write-in choice, and sets C c+ i[i] := £ P k(l) as well 
as Cf\i] := £ p k(0) for £ = l,...,c. Together with her vector ballot the voter 
publishes a proof of a consistent vector ballot encoding to ensure that her ballot 
is formed properly. More specifically this is done as follows: 

(Consistency Argument #1) V) shows that the first c+ 1 locations of her vector 
ballot contain only a single 1 among c 0’s; this is accomplished as follows: V) 
publishes a random re-encrypted shuffle of the c + 1 ciphertexts C\ [i] , C '2 [*],..., 
C c+1 \i] denoted by (C[ [i], C' 2 [*],..., C' c+l [*]) and proves its correctness. Then, 
the voter opens all ciphertexts C'([i\ (by showing their coin-tosses); this allows 
any third party to verify that the plaintexts encrypted in C[[i],. .. ,C' c+1 [i] are 
exactly a single 1, among c 0’s; due to the zero-knowledge proof this shows that 
the same is true about the corresponding ciphertexts in the vector-ballot; note 
that due to the zero-knowledge properties of the shuffle this step does not reveal 
any information about the location of the 1. 



(Consistency Argument #2). The voter shows that either the two last ciphertexts 
in the vector ballot encrypt 0, or that the (c+ l)-th ciphertext encrypts a 1, i.e., 

V writes a proof for the predicate (<3° p ^+ lW A Qciphet 2 ^) v (QdphlT^) 

It is easy to verify that the above consistency arguments enforce the in- 
tended ballot-encodings. In the tallying phase, the vector ballots are parsed so 
that the first c components are collected and the c sequences of ciphertexts 
Ce[ 1], . . . , Ce [n] are formed for £ = 1, . . . , c. We define c “tally ciphertexts” as 
^taiiy = C^[l] O • • • O Ce[n}. It is easy to see that due to the homomorphic prop- 
erty (74^ is a ciphertext that hides a integer value Tg that equals the number 
of votes that were won by the predetermined election candidate £ € c}. 
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Decrypting these ciphertexts reveals the votes accumulated by each predeter- 
mined candidate. Dealing with the write-in part of each vector-ballot is as in the 
paradigm of section 3. 

Security and Efficiency. The security of the punch-hole/ write-in version of 
our paradigm can be argued in similar terms as the main paradigm. Regarding 
efficiency, the main difference between the punch-hole paradigm and the general 
vector-ballot paradigm is that the encrypted ballot contains c + 2 ciphertexts 
instead of 3. While this may sound as a substantial increase in space it is not so: 
indeed, the security parameter in the vector-ballot paradigm (as well as in any 
homomorphic encryption scheme) must have a linear dependency on c, whereas 
the security parameter in the punch-hole approach is independent of c. Thus 
the two approaches do not differ (in the asymptotic sense) in terms of space. In 
terms of time-efficiency, the punch-hole approach requires more work from the 
voter in the proof of the vector-ballot consistency, but it yields a significant gain 
from the fact that the security parameter does not have to be proportional to 
the number of candidates and that tallying (as described below) can be done 
very efficiently over additive ElGamal encryption — in fact, an exponential gain. 

Exponential Gain for the Additive-ElGamal Instantiation. Observe that 
when the above protocol approach is instantiated with additive ElGamal encryp- 
tion the announcement of the results requires c brute-force searches of a space 
of size n instead of a brute- force step of a space of size ?t c_1 as it is the case with 
previous ElGamal-based encryption-schemes (e.g. [10]). This emphasizes further 
the usefulness of the “punch-hole” approach to increase the efficiency of the sys- 
tem. We remark that this significant gain is independent of the addition of the 
writein part of the election and in fact it can be also executed in the non-writein 
setting of [10]. 

Remark. It has been brought to our attention that a scheme related to the 
punch-hole approach (without the combination of vector-ballots/ write-in votes, 
though) appeared in the Ph.D. Thesis of M. Hirt [23]. 
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Abstract. Most voting schemes rely on a number of authorities. If too 
many of these authorities are dishonest then voter privacy may be vio- 
lated. To give stronger guarantees of voter privacy Kiayias and Yung [1] 
introduced the concept of elections with perfect ballot secrecy. In this 
type of election scheme it is guaranteed that the only thing revealed 
about voters’ choices is the result of the election, no matter how many 
parties are corrupt. Our first contribution is to suggest a simple voting 
scheme with perfect ballot secrecy that is more efficient than [1], 
Considering the question of achieving maximal privacy in other proto- 
cols, we look at anonymous broadcast. We suggest the notion of perfect 
message secrecy; meaning that nothing is revealed about who sent which 
message, no matter how many parties are corrupt. Our second contri- 
bution is an anonymous broadcast channel with perfect message secrecy 
built on top of a broadcast channel. 



1 Introduction 

Voting schemes are legion in the cryptographic literature. Common for most of 
them is that they rely on some authorities to conduct the election. Furthermore, 
if a large group of authorities is dishonest then individual votes may be revealed. 
To some extend this is unavoidable, some degree of privacy violation is inherent 
in any election; a group of voters may subtract their own votes from the result 
and thereby obtain some information about the remaining voters’ choice. In 
terms of privacy, the best we can hope for is to ensure that nobody can deduce 
more about the distribution of honest voters’ votes than what can be deduced 
from the result and knowledge of dishonest voters’ choices. We call this type of 
security perfect ballot secrecy. 

Kiayias and Yung [1] introduced the notion of perfect ballot secrecy together 
with self-tallying and dispute- freeness. Self-tallying means there is no need for 
authorities to tally the votes. Once all votes have been cast, the result can 
be tallied and verified by anybody. Dispute-freeness says that anybody may 
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verify that indeed the parties do follow the protocol. In other words, it is public 
knowledge whether a party performed correctly or tried to cheat. 

Kiayias and Yung [1] presented a self-tallying dispute-free voting scheme 
with perfect ballot secrecy with security based on the Decisional Diffie-Hellman 
(DDH) assumption. Later Damgard and Jurik [2] suggested a somewhat similar 
scheme based on the Decisional Composite Residuosity (DCR) assumption [3]. 
Both schemes work in the random oracle model and assume an authenticated 
broadcast channel; in the present paper, we use this model too. 

Kiayias and Yung [1, 4, 5] rely on a method they call zero-sharing for achieving 
maximal privacy. Not only do they build a voting protocol from this, but they 
also suggest protocols for anonymous vetoing and simultaneous disclosure of 
secrets. 

Our contributions. Our first contribution is a new voting scheme that has the 
same security properties as [1,2] but is simpler and more efficient. We base our 
scheme on the DDH assumption, i.e., ElGamal encryption, but the same ideas 
can be used in combination with the DCR assumption. The reason for this choice 
is that it is easy to generate in a distributed manner suitable groups where the 
DDH assumption is well founded. Distributed generation of a suitable group for 
the DCR assumption is more complicated [6]. 

Our second contribution is to construct an anonymous broadcast channel 
with perfect message secrecy, i.e., no matter which parties are dishonest, they 
are not able to tell among the honest senders who sent a particular message. 
This scheme is related to voting in the sense that using this anonymous channel 
to cast votes gives us a self-tallying voting scheme with perfect ballot secrecy, 
but it may of course also have many other applications. 



1.1 Model 

Throughout the paper, we assume all parties have access to an authenticated 
broadcast channel with memory. We imagine this in the form of a message board 
that all parties can access. Each party has a special designated area where he, 
and nobody else, can write. No party can delete any messages from the message 
board. One way of implementing such a message board would be to have a 
central server on the Internet handling the messages. We discuss this further in 
Section 4. 

When considering security of the protocols we imagine that there is an active 
polynomial time adversary A trying to break them. A is static, i.e., from the 
beginning of the protocol it has control over a fixed set of parties. 

The parties in the protocol work semi-synclrronously; the protocol proceeds 
in phases and in each phase parties may act in random order. We let the ad- 
versary decide when to change to the next phase. Since the protocols we design 
are intended for use with a small number of participants, we find this to be a 
reasonable assumption. Should several parties by accident happen to execute 
their action at the same time anyway, then it is quite easy to recover. 
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2 Self-tallying Voting Scheme with Perfect Ballot Secrecy 

2.1 Security Definitions 

The requirements we want the voting scheme to satisfy are the following. 

Perfect ballot secrecy: This is an extension of the usual privacy requirement. 
In a voting scheme with perfect ballot secrecy the partial tally of a group 
of voters is only accessible to a coalition consisting of all remaining voters. 
This is the best type of anonymity we can hope for in elections where we 
publish the result, since a coalition of voters may of course always subtract 
their own votes. 

Self-tallying: After all votes have been cast, it is possible for anybody, both 
voters and third parties, to compute the result. 

Fairness: Nobody has access to a partial tally before the deadline. We will in- 
terpret this demand in a relaxed way such that it is guaranteed by a hopefully 
honest authority. 

Dispute-freeness: This notion extends universal verifiability. A scheme is dis- 
pute-free if everybody can check whether voters act according to the protocol 
or not. In particular, this means that the result is publicly verifiable. 



2.2 The Voting Protocol 

The basic idea. To quickly describe our idea let us use an analogue with the 
physical world. Assume a group of people want to vote yes or no to a proposal. 
To do this the voters take a box with a small slot and each voter puts a padlock 
on the box. Taking turns the voters one by one drop a white (yes) stone or a 
black (no) stone into the box and remove their padlock. When the last voter has 
removed his padlock, they may open the box and see the result of the election. 
The protocol has perfect ballot secrecy since the box cannot be opened before 
all honest voters have cast their vote, and thus any honest voter’s vote is mixed 
in with the rest of the honest voters’ votes. 

Overview of the protocol. For simplicity, we first describe the protocol in the 
honest-but-curious setting, i.e., corrupted voters may leak information but follow 
the protocol. For simplicity, we also assume there are just two candidates that 
the voters can choose between. 

Initialization: First, the voters agree on a group G q of order q where the DDH 
problem is hard. Let g be a generator for G q . 

All voters now select at random an element in Z q . Each voter j keeps his 
element Xj secret but publishes hj = g Xj . 

Casting votes: Voters may vote in any adaptively chosen order, however, for 
simplicity we assume in this example that they vote in the order 1,2 , ... ,n. 
Let their choices be v\, V 2 , ■ ■ ■ , v n € {0, 1}. 
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The election now proceeds like this: 

1. Voter 1 selects at random n G Z g and publishes (g ri , (IIIL 2 hi) ri g Vl ). 

2. Voter 2 selects at random r 2 G Z g and computes (g r2 , (II ” = 2 
Multiplying this to the first vote, he gets ( g ri+r 2 , (n" =2 hi) ri+r2 g Vl+V2 ) . 
With his knowledge of the secret key X 2 , he may peel of a layer of this 
ElGamal encryption of the partial result. In other words, he computes 
(< 7 r i + r 2 , (117=3 hi) ri+r2 g Vl+V2 ). He publishes this on the message board. 

3. Voter 3 performs the same type of operations as voter 2. He ends up pub- 
lishing (g r ^+ r 2+r 3 ^YY* =i hi) ri+r2+r3 g Vl+V2+V3 ) on the message board. 

n. Voter n performs the same type of operations as the previous voters. 
When he is done, his output is [g^?=i ri , g^?=i Vi ). 

Tallying: From the last voter’s output we can read off g^i=i Vi . We compute 
the discrete logarithm, this is possible since the exponent is at most n, to 
get Y^i = 1 v i- This is the number of 1-votes in the election. 

The full protocol. The protocol as described is not fair, it is possible for the 
last voter to know the result before casting his own vote. As in [1] we deal with 
this by saying that a special election authority must act like a voter and cast a 
zero-vote in the end. Since it is a zero-vote, it does not affect the result. On the 
other hand, the perfect ballot secrecy of the voting scheme ensures that up to 
this point nobody but the authority can know any partial tally. Therefore, if the 
authority is honest then the voting scheme is fair. 

To go beyond the lronest-but-curious assumption and deal with all kinds of 
adversaries all we have to do is to add zero-knowledge proofs of knowledge of 
correctness. These proofs will be the typical 3-move honest verifier proofs (17- 
protocols [7]), where using the Fiat-Shamir heuristic we can make very efficient 
non- interactive zero-knowledge proofs. Security of the protocol will be proved in 
the random oracle model [8] . 

We wish to support a set W of possible votes. Let us write the c candidates 
in W as candidates as 0, . . . , c — 1. We do this by encoding candidate number i 
as (n + 1)*. From a sum °f votes with this encoding we can read off the 

number of votes on each candidate. To compute the result, we have to compute 
the discrete logarithm of g^*= lVi . With n voters and c candidates, the number 
of possible results is With a small number of voters or a small number 

of candidates, it is possible to compute the discrete logarithm. If we have a 
larger number of voters and candidates, we may use a cryptosystem similar to 
the one in [2]. This allows computing discrete logarithms efficiently, but on the 
other hand the key generation becomes much more complicated. Alternatively, 
we may use the anonymous broadcast protocol we present in the next section. 
The full protocol can be seen in Figure 1. 

Performance. Let n be the number of voters, c be the number of candidates, 
and k be the security parameter. We assume that n c < q. 
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Voting Protocol 

Setup: The voters agree on a suitable group G q of order q where the DDH 
assumption holds. Let g be a generator for G q . 

Key Registration: Voter i selects at random Xi £ 7L q and sets hi = g Xi . He 
publishes hi and makes a proof of knowledge of Xi, PK[xi : hi = g Xi ]. 

Any voters who did not supply a key are removed from the list of eligible 
voters. Set the current state of the election to be (1, 1). 

Voting: Voter i wishing to cast a vote Vi £ W downloads the current state of the 
election (it, u), and verifies the correctness of keys and all votes cast up to 
now. Then he selects Vi at random from Z 9 , sets U = ug r ' and 
V = vu - Xi (n qeT hj) ri g Vi , where T is the set of remaining voters. He 
broadcasts ( U , V) as the new state of the election together with a zero 
knowledge proof of knowledge 

PK[(n,Vi,Xi) : hi = g Xi AU = ug Ti A V = vu~ Xi (JJ jeT hj) ri g Vi An £ W], 
i.e., a proof that he knows r,, Vi,Xi making his vote correct. 

Tallying: After all voters have cast their votes the state (it, v) has v = g^'- 1 Vi . 
The discrete logarithm J27=i Vi can b e computed if there are not too many 
voters and candidates, and from this the result can be extracted. 

Fault-correction: If some voters abstained from voting it is possible that the 
remaining voters still want to carry out the election. In that case, they can 
repeat the voting step with the now reduced set of voters. They may gain a 
factor log c in efficiency by proving that they cast the same vote as in the first 
voting phase instead of proving from scratch that the vote belongs to W. 



Fig. 1. The voting protocol 

For each voter it takes 0(1) exponentiations to compute the key hi and the 
associated proof. The size of the key is 0(k). Verification of the n keys takes 
0(n) exponentiations. 

In the voting phase, it takes O(logc) exponentiations to compute the vote 
and the proof associated with it 1 . The vote has size O(Zclogc). It takes 0(n log c) 
exponentiations to verify all the voters’ proofs. 

In comparison, the protocol in [1] lets the voter do 0(n) exponentiations in 
the key registration phase, the key has size 0{nk ), and verification of the keys 
takes 0(n 2 ) exponentiations. In the voting phase, the voter must do O(logc) 
exponentiations, the vote has size 0(k logc), and it takes O(nlogc) exponenti- 
ations to verify all the votes. 

1 Let us sketch where the logc factor comes from. In the proof of correctness of a 
vote the voter has to argue that the encrypted vote is on the form (1 + n) 1 for 
i £ {0, . . . , c— 1}. Let {6i, . . . , 6 fiog cl } be a set of positive integers with the following 
property: for any number 1, . . . , c — 1 there is a subset where the numbers have this 
sum, and for no number larger than c — 1 is there a subset with elements having 
this sum. Write the vote as (1 + n) v = (1 + n)^ i=1 “* = nl=i ^ (1 + n ) a ’, where 

ai = bi V ai = 0, . . . , afiogci = bpogcl V apiogci = 0. This shows that the vote can 
be built as a product of [log c] elements. It is possible to prove correctness of such 
elements and make proofs of products in 0(1) exponentiations, giving a total of 
CJ(logc) exponentiations. 
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The Kiayias and Yung protocol does have the advantage that many voters 
can vote at the same time, whereas we demand that they download the current 
state and use that in making their vote. Since the voting protocols are designed 
for self-tallying and demand that all voters participate we can only see them as 
being realistic in settings with few voters though. With few voters, we believe it is 
reasonable to assume that voters act one at a time; and even if they occasionally 
do not it is easy to correct. 

2.3 Security 

To argue perfect ballot secrecy of the voting protocol in Figure 1 we will show 
that a real-life execution of the protocol can be simulated with knowledge of 
the sum of the honest voters’ votes only. To do so we define two experiments, a 
real-life experiment, and a simulation experiment. 

Real-life experiment. In the real-life experiment the voters Vi, . . . , V n have votes 
vi , . . . ,v„ that they want to cast. An adversary A tries to break the protocol. 
A has full control over a fixed set of corrupt voters and gets as input a string 
z. A controls the flow of the protocol, i.e., it decides when to shift to the next 
phase, and within each phase it can adaptively activate voters. Upon activation, 
a voter reads the contents of the message board, computes its input according 
to the voting protocol, and posts it on the message board. After an honest voter 
has been activated control is passed back to A. Please note that A may choose 
not to activate a voter, in that case the voter does not get to submit a vote. 
Once the election is over A computes an output s and halts. The output of the 
experiment is (s, cont, result), where cont is the contents of the message board 
and result is the outcome of the election if this can be computed from cont. 

We write Exp™ 8 v ^(iq, . . . , v n , z) to denote the distribution of (s,cont, 
result) from the real-life experiment. 

Simulation. In this experiment, a simulator S has to simulate the election. S 
gets as input a string z, including a list of corrupt voters. S controls the random 
oracle; this enables it to simulate zero-knowledge proofs. In the simulation, we 
let a trusted party T handle the message board as well as computation of the 
result. T learns the votes v\, . . . ,v n and which voters are corrupt. In the key 
registration phase, the voting phase and the fault correction phase, T expects to 
receive also the witnesses when S submits a valid key or a valid vote on behalf 
of a corrupt voter. In particular, this means that T learns the plaintext vote 
whenever a corrupt voter tries to cast a vote. Due to the self-tallying property 
of the voting scheme, the honest voters’ partial tally may be revealed at some 
point. We formulate the following rule for letting T reveal this partial tally to 
S. First, T notes which honest voters did not participate in the setup phase or 
the key-registration phase. In the voting phase, if S is about to activate the last 
remaining honest voter then it may query T for the partial tally of the honest 
voters. Afterwards, we demand that S posts a vote on behalf of this simulated 
voter. After the election, S halts with output s. T computes the result using 
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the plaintext votes and the honest voters votes, and outputs the contents of the 
message board and the result. 

We write Exp^”^(ui, . . . , v n , z) to denote the distribution of (s, cont, result) 
in the simulation. 

The simulator S. S runs a copy of A and simulates everything that A sees, 
including the behavior of the honest voters. When A changes phase in the pro- 
tocol so does S. If A lets a corrupt voter post something on the message board, 
S verifies the proof. If the proof is valid, S uses rewinding techniques to extract 
the witness. It then submits the entire thing to T. In particular, this means that 
the vote is submitted in plaintext to T. If A activates an honest party in the key 
registration phase, S selects h t at random and simulates the proof of knowledge 
of Xi . It submits h t and the simulated proof to T. If A activates an honest voter 
in the voting phase, and this is not the last remaining honest voter to vote, S 
picks ( U , V) at random and simulates a proof of knowledge of the corresponding 
X { , r'i . Vi . If the activated honest voter is the last honest voter to submit a vote, 
then S queries T for the partial tally of the honest voters. Knowing the witnesses 
for the corrupt voters’ submissions it can then compute the partial tally of voters 
that have voted so far. Let S be the set of voters that have voted, including the 
voter to vote right now. Let T be the set of remaining eligible voters; all of them 
are corrupt. S picks U at random and computes V = U^- , ^ GT Xj g^ i ^ sVi . It then 
simulates the proof for having computed ( U , V) correctly and gives it to T. At 
some point the simulated A halts with output s. S outputs s and halts. 

Lemma 1 . For any adversary A there exists a simulator S such that the distri- 
butions Exp™ 3 Vn ^(vi , . . . , v n , z) and Exp^^(ui, . . . , v n , z) are indistinguish- 
able for all vi , , v n , z. 

Proof. We use the simulator S described above. To show indistinguishability we 
will go through a series of intermediate experiments Expi , . . . , Exp 3 . We then 
show that Exp ^ 3 1 VnA (vi,...,v n ,z) « Expi(vi, . . . ,v n , z) « Exp 2 (v i,..., 
v n ,z) « Exp 3 (vi, ...,v n ,z)& Exp“^s(wi, . . .,v n ,z). 

Expi works like Exp^ 3,1 v ^ except whenever A submits a valid input on 
behalf of a corrupt voter. In these cases, we use rewinding techniques to extract 
the corresponding witnesses in expected polynomial time. This way for each 
key registration from a corrupt voter we know the corresponding exponent x*, 
and for each vote we know the vote Vi as well as the randomness r, and Xj. 
Having knowledge of the witnesses, we may now run the entire protocol using 
the trusted party T from the simulation experiment to control the message 
board. The outputs of the two experiments are the same, so indistinguishability 
is obvious. 

Exp 2 works like Expi except we simulate all proofs made by honest voters. 
Typically, these proofs are statistical zero-knowledge and then we get statistical 
indistinguishability between Expi and Exp 2 - 

Let us consider Exp 2 a little further. Define = g ri and hij = hff , where r, 
is the randomness used by voter i. Consider the voting phase, denote at a given 
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time S to be the voters that have cast votes already and T to be the voters that 
have not yet acted in this phase. The state at this time is 

(u,v) = (II*, (II II h n)9 T,iesVi )- 

i£S iGSj&T 

Since we are simulating the proofs, we do not need knowledge of ay, ry for honest 
voters. Therefore, to carry out Exp 2 we can first compute a table of the gi’s,hj’s 
and hij's for the honest voters and then use these values. 

Define Exp^ to be Exp 2 where we choose the gi’s,hj’s and hij’s randomly 
from G q . By a hybrid argument using the DDH assumption, the tables of these 
elements in Exp 2 and Exp% are indistinguishable. Therefore, the two experiments 
Exp 2 and Exp 3 are indistinguishable. 

Remaining is the fact that we still use individual votes ly from honest vot- 
ers to perform the experiment. However, note that in the voting phase when 
an honest voter V t updates from (it, v ) to ( U , V) he sets U = ug, and V = 
u (rijeS h ji )(n,6T hij)g Vi ■ The elements {/bjljeT contain new randomness and 
therefore the vote i y is perfectly hidden unless T has no honest voters, i.e., Vi is 
the last honest voter to vote. 

These considerations lead us to modify Exp$ the following way. An honest 
voter who is not the last honest voter to act in the voting phase computes the 
new state (U,V) by picking it at random in G q x G q . An honest voter Vi who 
is the last honest voter to vote computes v ii picks U at random from G q 

and sets V = U^ i ^ TXi g^ i ^s Vi . 

This modifies Exps into Exp^ 1 ^, so these two experiments are perfectly 
indistinguishable. □ 



Lemma 1 says that the election can be simulated without knowledge of the 
honest voters’ individual votes. Moreover, it forces the simulator to submit plain- 
text votes on behalf of corrupt voters, so their votes cannot be related to the 
honest voters’ votes. 



Theorem 1 . The voting protocol described in Figure 1 is self-tallying, dispute- 
free, and has perfect ballot secrecy. If the last voter is an honest authority that 
submits a zero-vote then the protocol is fair. 



Proof. It is easy to see that the protocol is self-tallying if all parties act according 
to the protocol, and the zero-knowledge proofs force the parties to act according 
to the protocol. Likewise, since the zero-knowledge proofs force parties to act 
according to the protocol it follows that the protocol is dispute-free. Perfect 
ballot secrecy follows from Lemma 1. Fairness follows from perfect ballot secrecy, 
since perfect ballot secrecy implies that we cannot compute any partial result 
before the authority submits its vote, and if honest the authority does not submit 
its vote before the end of the election. □ 
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2.4 A Veto Protocol 

Kiayias and Yung suggested a veto-protocol in [5]. By this, we mean that any 
party may veto a proposal, however, it should not be possible to learn who vetoed 
the proposal or how many vetoed a proposal. 

It is easy to implement such a veto protocol with the voting scheme we have 
suggested. We let acceptance of the proposal correspond to a 0-vote. On the 
other hand, a veto is a vote on a random element from Z 9 . This way, if nobody 
vetoed we get a tally, which is 0. On the other hand, if anybody vetoed, then we 
get a tally, which is a random number from Z 9 . Discrete logarithms are difficult 
to compute, however, we do not have to do that, all we need to do is to verify 
that g resun ± 1. 

One problem, which also pertains to the scheme in [5], remains with this 
scheme, since any vetoer knows his own random element and therefore he may 
check whether he is the only one who vetoed. To guard against that we may rely 
on the authority disclosing the result to raise (u, v) to a random exponent from 
Z* before decrypting. This way it is impossible for any cheating vetoer to see 
whether he is the only one to veto the proposal. 

3 Self-disclosing Anonymous Broadcast 
with Perfect Message Secrecy 

3.1 Security Definitions 

In this section, we deal with the possibility of building an anonymous broadcast 
channel on top of an authenticated broadcast channel. We want some strict 
security requirements to be satisfied. The security requirements are quite similar 
to those for self-tallying elections with perfect ballot secrecy but we rename the 
latter notion to stress that anonymous broadcast has many other applications 
than voting. 

Perfect message secrecy: Knowledge of the set of messages to be broadcast 
is only accessible to a coalition of all remaining senders, and this knowledge 
does not include the connection between senders and messages. This means 
that a sender is hidden completely among the group of honest senders. 
Self-disclosing: Once the last sender has submitted his message, anybody may 
see which messages were broadcast. 

Fairness: Until the deadline is reached it is impossible to know what messages 
will be broadcast. Again, we will only demand fairness in a restricted sense, 
namely it will be ensured by a hopefully honest authority. 
Dispute-freeness: It is publicly verifiable whether senders follow the protocol 
or not. 

3.2 The Anonymous Broadcast Protocol 

Physical analogue. The senders one after another enter a room alone. Bringing 
with them they take a box, all boxes look alike, and a padlock for each of the 
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remaining senders. In the room, they write down their message, put it in the box, 
and lock the box with the padlocks corresponding to the remaining senders. Then 
they shuffle around the boxes so nobody can tell them apart. In the presence 
of the remaining senders, they now remove one lock from each box, namely the 
locks that fit their key. As the last sender removes the locks, the messages are 
revealed. 

Idea in the protocol. We use similar ideas as we did in the voting protocol. Each 
voter encrypts his message with the keys of the remaining senders. This means 
that the message will not be revealed until all honest voters have been involved in 
the protocol and peeled off the layer of encryption corresponding to their secret 
key. The sender will rely on this last honest sender to anonymize his message 
with respect to all the honest senders. 

Since the sender cannot know whether he is the last honest sender, he must 
also ensure himself that his message is mixed with the messages of the previous 
senders. Since ElGamal encryption is homomorphic, it is easy to permute and 
rerandomize (shuffle) all the ciphertexts made up to this point. Furthermore, 
efficient proofs of a correct shuffle exist, see [9-11]. 

Summarizing the protocol the method is as follows. The senders all register 
public keys just as in the voting protocol. When a sender wants to add his mes- 
sage to the pool, he encrypts it with the public keys of the remaining senders 
including his own key. Then he shuffles all the ciphertexts in a random way. 
Finally he peels of a layer of the encryption, namely he decrypts all the cipher- 
texts with respect to his own key. He proves in zero-knowledge that all these 
steps have been performed correctly. 

The full protocol can be seen in Figure 2. 

Performance evaluation. Key registration takes 0(1) exponentiations for each 
sender, and each key has size 0(k). To verify the correctness of the keys we use 
0(n ) exponentiations. 

With respect to message submission, we may use the efficient shuffle proofs 
of [9-11]. This way it takes 0(n) exponentiations to compute the new batch 
of ciphertexts and the proofs, and such a batch has size 0{nk). It takes 0(n 2 ) 
exponentiations to verify all the senders’ proofs. 

Simultaneous disclosure. If we remove the shuffling part of our anonymous broad- 
cast protocol, we get a simultaneous disclosure protocol. We can therefore com- 
pare our performance with the simultaneous disclosure protocol of [5], which 
uses 0(n 2 ) exponentiations for each voter in the registration phase, and O(n) 
exponentiations for each voter in the message submission phase. 

3.3 Security 

To argue perfect message secrecy we show that the broadcast protocol can be 
simulated without knowledge of the individual messages. Very similar to the case 
of the voting protocol we therefore define a real-life experiment and a simulation 
experiment. 
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Anonymous Broadcast Protocol 

Setup: The senders agree on a suitable group G q of order q, where the DDH 
problem is hard. Let g be a generator for G q . 

The senders also set up suitable keys for commitment schemes that will be 
used in the zero-knowledge proofs to follow. 

Key Registration: Sender i selects at random Xi £ Z q and sets hi = g Xi . He 
publishes this public key together with a proof of knowledge of Xi. 

Any senders who did not supply a public key are removed from the list of 
senders. 

Message submission: Sender i wishing to send message rrii £ G q . 

Let S be the set of senders who already sent a message, including i, and let T 
be the set of senders who did not send a message. Let {(%', u 7 ')} : j6S\{i} be the 
ciphertexts constituting the state. 

Sender i first checks that all proofs of the previous senders are correct. Then 
he encrypts his message as ( Ui,Vi ) = ( g n , dljeTut*} hj) ri rrn). He picks at 
random a permutation m over S, permutes all ciphertexts {(uj ,Vj)}j^s 
according to this permutation, and rerandomizes them into {{Uj,Vj)}jes. 
Finally, he removes the layer of encryption corresponding to his own private 
key. I.e., he computes {(Uj,Vj) = (Uj,VjU£ Xi )}j<=s- 

He broadcasts this list of ciphertexts together with a proof of knowledge of 
having done all this correctly. 

Broadcasting: The last senders’ output contains Vj ’ s that are the messages 
permuted according to the permutations selected by the senders. 
Fault-correction: We do not have a clever fault correction algorithm; we simply 
start the protocol over again. Depending on the user requirements, we may 
now demand that the senders prove in zero-knowledge that they are 
submitting the same message as before. 



Fig. 2. The anonymous broadcast protocol 



Real-life experiment. We have parties P\, . . . , P n with messages m 1, . . . , m n that 
they want to broadcast anonymously. An adversary A with input 2 controls a 
fixed set of these parties. A also controls the scheduling in the protocol, in other 
words, A decides when to proceed to the next phase, and within each phase A 
activates parties adaptively. When activated a party receives the contents of the 
message board, computes its input according to the protocol, and posts it on 
the message board. Control then passes back to A. In the end, A outputs some 
string s and halts. 

We denote by ’Ex.ppf Pn A (mi, ... ,m n , z) the distribution of outputs (s, 
cont, messages) from the experiment, where cont is the content of the message 
board, and messages is a sorted list of messages from cont. 

Simulation. Again, we have a trusted party T and a simulator S. T controls the 
message board and has as input m 1, . . . , m n and a list of corrupted parties. Dur- 
ing the execution of the protocol it expects S to provide witnesses for correctness 
of the actions performed by corrupted parties. When only one honest party re- 
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mains in the broadcast phase, S can query T for the set of messages m 1 , . . . , rrik 
submitted by honest parties. After this S must then submit this honest party’s 
broadcast to T. In the end, S halts with output s, and T outputs the contents 
of the message board and the set of messages submitted in lexicographic order. 

We write Expo’s (nH, . . . , m„, z) for the distribution of (s, cont, messages). 

The simulator S. S runs a copy of A simulating anything A would see in a real- 
life execution, including the actions of the honest parties. Whenever A changes 
phase, so will S. If A lets a corrupt party submit something with a valid proof 
for the message board, S uses rewinding to extract the witness. This way, in the 
key registration phase S learns the exponent Xi, when corrupt party Pi registers 
key hi . Likewise, when corrupt party P, makes a broadcast, then S learns the 
randomizers used, the new message that was submitted, and the permutation 
7Tj. After extracting the witness, S sends everything to the trusted party T. If 
A activates an honest party Pi in the key registration phase then S picks h t at 
random and simulates a proof that it knows the exponent Xi . If A activates an 
honest party Pi in the message submission phase, and this is not the last honest 
party to act, S selects at random from G q x G q . For each k £ S, where 

S is the set of senders that have been active in the protocol, including Pi, S 
selects at random (Uk, V' k ) and ( Uk,Vk ). It then simulates proofs that it knows 
the message inside the (ui,vf) encryption, that it knows a permutation 7q and 
randomizers such that {(Uk, V k )}kes is a shuffle of {(uk, Vk)}keS, and that for 
each k £ S, (Uk, 14) is the decryption of (Uk, Vff) with key Xi used to form hi. If 
the sender activated is the last remaining honest sender, S queries T for the list 
of messages for honest senders. Furthermore, it knows the messages submitted 
by corrupt parties. It labels in random order the messages {rrik}keS- It picks 
(ui,Vi) at random and picks at random (Uk,Vf) for k £ S. Then for k £ S it 

sets Vk = U k 3GT 3 rrik, where T is the set of (corrupt) senders that have not yet 
been activated. S simulates the proofs of correctness and submits it all to T. In 
the end the simulated A terminates with output s. S outputs s and halts. 

Lemma 2. For any adversary A there exists a simulator S such that the two 
distributions Exp)?* 1 P ■ ■ ■ > m n, z) and Exp^™ (mi, . . . , m n , z) are in- 

distinguishable for all mi, . . . , m n , z. 

Proof. The proof is similar to the proof for Lemma 1. We use the simulator 
described above. We define three intermediate experiments Expi, Exp 2 and 
Expz and prove that Expp^ 1 ; Pn j(mi, . . . , m n , z) « Expi « Exp 2 ~ Exp 3 « 

Ex Pr m s( m iv,m n ,4 

Expi is the real-life experiment where we use rewinding techniques to extract 
witnesses for valid actions that A lets corrupt parties make. Having the witnesses, 
we can then execute this experiment in the trusted message board model, giving 
T the witnesses to go along with the messages. 

Exp 2 is a modification of Expi where we simulate all proofs that hon- 
est parties make. Consider how an honest party Pi computes the new state 
{(Uj, Vj)}j e s, where S is the set of parties that have submitted their message. 
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Write T for the set of remaining parties that have not yet made a broadcast. 
Pi first selects r, at random and sets ( ut,Vi ) = (gi, (TljeTuti} where 

gi = g ri and hij = h r I . Then Pi selects 7 q as a random permutation over S, 
and computes the pairs (U k ,V k ) = (u^-i^gth ’ v *~ 1 (k) lljeT hijkjkes, where 
gik = g Tik and hijk = h r P k , with the ruf s and rife’s chosen at random from Z g . 
Finally, for /c € S' it sets (U k ,V k ) = (U k ,V k U k Xi ) = (U k ,V k H jeS hj*). All this 
can be computed from a table of gi s, hj’s, hij' s, gaf s, and hij k s for the honest 
parties without knowing the underlying randomizers. 

Exp3 is a modification of Exp2 where the gi s, hj’s, hij’s, guf s and /life’s for 
honest parties are selected at random from G q . By a hybrid argument using the 
DDH assumption, Exp2 and Exp3 are indistinguishable. 

Looking at Exp3, we notice that we might as well pick the elements Vi,U k , 

Vfc completely at random from G q instead of bothering with picking a per- 
mutation 7 Tj and inserting messages, as long as Pi is not the last honest party 
to broadcast a message. An honest party Pi that is the last honest party to 
broadcast a message chooses Ui,Vi,U k ,V k at random. It picks a permutation it 

at random and sets 14 = eT 1 for k £ S. This last experiment is 

exactly what happens in the simulation so Exp3 and Exp^ 1 ^ are perfectly in- 
distinguishable. □ 

Theorem 2. The protocol described, in Figure 2 is a self-disclosing, dispute-free 
anonymous broadcast protocol with perfect message secrecy. If the last sender is 
an honest authority (who does not submit a message himself) then the protocol 
is fair. 

Proof. It is easy to see that the protocol is self-disclosing. The zero-knowledge 
proofs entail dispute- freeness. Perfect message secrecy follows from Lemma 2. 
Finally, fairness follows from the perfect message secrecy. □ 

4 Various Comments 

Reusing the public keys. In both the voting protocol and the anonymous broad- 
cast protocol we may reuse the public keys in many instantiations of the protocols 
presented here, but some care must be taken. The reason to be careful is the 
fact we must be able to rewind and extract witnesses from proofs made by the 
adversary. In the simulation, however, we cannot rewind the trusted party T, so 
we must be careful that we never have to rewind past a point where T gives us 
a partial tally or partial set of honest senders messages. When only a single pro- 
tocol is running this is no problem since in the zero-knowledge proofs we query 
the random oracle with the current state. When a partial result is released we 
always let an honest party act right after it, and this honest party injects some 
new randomness into the state. For this reason an adversary can not predict 
what the state will be after the release of a partial result, and therefore cannot 
make queries before the release of the partial result that it uses after the release 
of the partial result. This means that we never have to rewind back before the 
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release of a partial result. When running multiple protocols we have to query 
the random oracle with the states of all protocols to guarantee not having to 
rewind back past a point where a partial result was released. If we do this, we 
may use the same public keys to run many protocols. 

Universal composability. The statement of our lemmas is somewhat inspired 
by the universal composability framework of Canetti [12, 13]. However, we have 
not proved the protocols to be universally composable. In particular, we do not 
include a party Z to model the exterior environment. It is possible to make the 
protocols universally composable against non-adaptive adversaries by generating 
a key for a public key cryptosystem in the setup phase. After this we can in the 
key registration phase encrypt the keys Xj and prove to have done so in zero- 
knowledge. We can set this up so the simulator knows the corresponding secret 
key for the cryptosystem, and therefore it can make a straight-line extraction 
of the Xi s. Knowing the XiS it can then extract votes and messages, and carry 
on the simulation without ever having to rewind. Unfortunately, the technique 
above may make the protocols considerably less efficient and we have therefore 
not pursued this option in the paper. 

Flexibility in participation. It is easy to set up an election where only a part 
of the participants is allowed to participate. In that case, we simply ignore the 
public keys of those not allowed to participate in this instance of the protocol. 

In the voting protocol, it is easy to include new voters that may participate 
in future election. We can choose the group G q < "Lq specified by p,q,g in a 
publicly verifiable manner, e.g., chosen at random from the binary expansion of 
7 r, or chosen from a string of hashes on some random value. Considering uniform 
adversaries it would seem reasonable that this gives us a suitably hard group 2 . 
Since the new voter can trust this group, he simply needs to register a public 
key himself in order to join. 

In the anonymous broadcast protocol, we may also include new senders. 
However, here the new senders have to beware of the risk that the commitment 
scheme may be chosen with a trapdoor known to the senders already registered. 
Therefore, the new sender will have to update this commitment key in a publicly 
verifiable way. 

The authenticated broadcast channel. We do not need something fancy to form 
this channel. We may for instance assume that a central server stores all the 
data, and this central server may act like the authority too. 

To ensure correctness of the data we will assume that all communication 
is signed with a digital signature. We cannot rely on a certification authority 
to issue these digital signatures in the strict setting we are working in. Instead, 

2 While it varies from group to group how hard it is to compute discrete logarithms, 
we do not know of any groups where the DDH problem can be efficiently solved, 
provided the groups are some subgroup of Zp where q,p are suitably large primes. 
See also [14] on this issue. 
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each participant must certify each other participants public key. Since we assume 
only a few voters or senders are participating in the protocol, this is a reasonable 
burden to put on the participants. 

Imagine now that the central server fails. Since everything is digitally signed, 
the participants may restore the state of the message board from their own 
data. They may now simply set up a new server to run the protocol. It is easy 
to modify the votes in a publicly verifiable manner such that the data fits the 
public key of the new authority. 
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Biometrics are receiving a lot of attention because of the potential to increase the 
accuracy and reliability of identification and authentication functions. A lot of re- 
search has been done to assess the performance of biometric systems, with an empha- 
sis on false acceptances and rejections. Much less research has been done on the us- 
ability and acceptability of biometric security systems. A number of factors are 
increasing the usability of biometric devices. The sensors are getting smaller, cheaper, 
more reliable, and designed with better ergonomic characteristics. The biometric 
algorithms are also getting better, and many systems include features to train the users 
and provide feedback during use. In addition, biometric devices are being integrated 
into associated security systems, such as access control and encryption services, to 
provide a seamless environment. 

There are still a number of usability concerns, however. The accuracy of many 
biometric systems is still not high enough for some applications (i.e., matching 
against a very large database). Also, there is often a negative relationship between the 
accuracy of a biometric system and the convenience for use, with the most accurate 
systems (e.g., DNA, Iris, Retina) being the most awkward to use. Biometric devices 
also have continuing problems handling users with special physical characteristics, 
such as faded fingerprints, leading to high "failure to enroll" rates. 

Concerning the acceptance of biometric security systems, factors that are making 
the systems more acceptable include technical interest, concerns about identity theft, 
government border-control initiatives, and the opportunity to reduce memory de- 
mands by replacing memorized passwords. Research has shown, however, that users 
are still wary of accepting biometrics because the benefits are not always evident, and 
the possibilities for misuse and privacy invasions are large and not understood. Never- 
theless, a recent survey of Canadian citizens [1] found that 80% of the respondents 
think that biometric systems will be commonly used in the next 10 years. 

Overall, widespread use of biometrics in security systems faces a number of fun- 
damental challenges, not the least of which is that a biometric characteristic is not a 
secret, so there is always a risk of it being copied or forged. Including "vitality tests" 
that ensure the biometric is offered by a living person will be crucial to avoid these 
problems. Managing privacy impacts and ensuring personal control of biometric use 
will also be very important for promoting acceptance. 
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1 Introduction 

Mental models that may be useful in communicating within security communi- 
ties can communicate perverse incentives to naive end users. When experts use 
models and metaphors in their own explanations and understanding of a sys- 
tems, the metaphors are used to explain a particular element of a system based 
on a common understanding. When experts communicate to non-experts then 
those who are not expert then those end users take more than is intended by 
the expert. 

Mental models research can enable effective communication of research. I dis- 
cuss four possible approaches to computer security: medical infections, criminal 
behavior, economics failure, and warfare. If the models of computer scientists 
can be effectively communicated to end users then end user response may be 
enhanced. Without the ability to effectively communicate risk, no amount of 
technology will be empowering. I discuss the implications of each model for the 
end user, according to the implied responsibility of the end user. 

Risk communication in the environmental sciences is well grounded in decades 
of practice. Many of the practices abandoned by environmental scientist continue 
to be used in attempt to communicate risk to computer users. These include enu- 
merating all possible risks, attempting to make all those exposed to risk experts 
in the subject manner, and the use of confusing metaphors. 

2 The Medical Model 

In August of 2003, the computer security world already weary after a summer 
of headline-grabbing security problems rallied to defend systems against yet an- 
other internet worm, worm_blastMS. Although similar to previous blaster strains 
that exploited Windows RPC vulnerability, this “good worm” gained permissions 
through the security hole, then patched the infected system, preventing further 
malicious code from attacking. Although this worm still managed to bring down 
several networks due to a denial of service while the worm enforced patching, the 
security industry’s response was mixed. Some systems were undeniable saved, 
suffering only patching, in an environment where far too many users failed to 
protect themselves. The best defense to the worm removed autonomy and control 
from those who had failed to patch their systems. 

A. Juels (Ed.): FC 2004, LNCS 3110, pp. 106-111, 2004. 
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The medical model for malicious code is grounded in the patterns of diffusion 
of malicious code and infectious diseases, the importance of heterogeneity in the 
larger network, and again the importance of identification and response of a 
virus. 

Blaster is an example of a virus with an pseudo-immune response. Blaster 
was designed to implement a DoS attack against windowsupdate.com. However, 
Microsoft moved this server. 

The studies of network security have recently stressed the ecosystem of se- 
curity. 

A significant implication of public health is that there is a need for coordi- 
nated public response, however, the need for coordinated public response does 
not override the rights of individuals to make mistakes about their own health, 
even if that implies some risk to others. Public health also communicates to 
each person that the are likely to be targets. The individual risk model and 
the need for individual hygiene communicate individual responsibility as well as 
individual risk. No person believes they are not at risk for illness, unlike crime 
or warfare where there must be specific targeting. 



3 The Criminal Model 

The prosecutor in the Melissa virus case argues that this is “simply crime,” argu- 
ing further that “Law enforcement can employ technology, too, and track down 
virus writers and hackers through the electronic fingerprints they invariably leave 
behind.” (Smith, 2002). However, As of January of 2003 Norton antivirus offered 
30,084 discrete virus descriptions and Symantec has recorded 4397 additional de- 
scriptions. virus or worms for which it has on-line descriptions including date of 
release and payload. There have been six prosecutions of authors of malicious 
code. These are described in this section, illustrating that there is little corre- 
lation between the severity of the violation and resulting prosecution. Severity 
may be measured in inherent damage by the payload or by the extent of the 
distribution; regardless there is no consistency. 

There have been remarkable successes. Robert Morris was identified almost 
immediately as the creator of the first Internet worm, and was sentenced to 
three years probation. (Morris is now on the faculty at MIT). The worm also 
lead to the passage of the Computer Fraud and Abuse Act in the United States, 
The initiator of the SMEG family of virus’ in 1995 received less generous treat- 
ment, arguably because there was no feasible possibility that he was engaged in 
research. Christopher Pile was the first person sentenced under the Computer 
Misuse Act in the United Kingdom and received an 18-month prison term. 

Chernobyl has the most destructive payload yet recorded. Chernobyl destroys 
data by beginning at the disk sector zero and writing randomly generated data 
until the computer crashes. Before over writing the data Chernobyl corrupted 
the machines BIOS. The Taiwanese author of that virus Chen Ing-hau escaped 
prosecution because there had been no Taiwanese complaints against him. The 
virus was most destructive in South Korea and Hong Kong. 
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In contrast the author of the Melissa virus was sentenced to 20 months in 
prison, committed to community service, and fined. 

Jan De Wit authored the Anna Kournikova and turned himself in. (The 
worm was named after the image file to which it was attached). He received 150 
hours of community service. The worm’s payload was self-reproduction via MS 
Outlook. 

Onel de Guzman of the Philippines authored the “i love you” virus. The so- 
called Love Bug altered image files and template files, thus severely damaging 
the document on Windows-based web servers. It altered MP3 files. It added itself 
to all visual basic scripts. However, authoring such a virus was not a crime in 
the Philippines and thus the author remains free. 

Four Israeli teenagers were arrested for developing The Goner in 2001. be- 
cause of their age the final judgments against them are not public. 

These six cases are the only recorded prosecutions for the release of a virus 
in the wild. The SoBig virus is believed to have originated in China, similarly 
other malicious rapid code could have been developed by any of a billion people. 

Thus we have illustrated that the prosecution of malicious code has not 
proven successful. Yet this does not imply that the mental model of virus as 
crime cannot be used to better inform the population. In the last decade mali- 
cious code has been recognized as criminal and malicious behavior. There has 
been increased discussion of when malicious code can be socially acceptable 
(lracktivism references) with an understanding that it is criminal by default. 
This remarkable cultural change has been primarily in the computing popula- 
tion, and its use for the naive user will be explored. 

If computer crime is considered strictly crime then the response to this crime 
has been inadequate and arbitrary. If Computer crime is criminal than the end 
user is responsible for taking particular actions in order to avoid making him or 
herself a specific target of opportunity. When computer crime is crime, then the 
end user has to experience him or her self as a potentially vulnerable target. The 
end users may be recruited into community policing, yet that requires providing 
the end user with the ability to recognize an attack. 

4 The Warfare Model 

That the warfare metaphor has been internalized is clear from the choice of 
terms used in network security, as well as the design. 

Firewalls are perimeter defense technologies. Similarly intrusion detection is 
based on defense of a trusted interior and a trusted exterior. DMZs are another 
metaphor that embeds the concept of computer security as warfare. 

Slammer represents both the potential and the problems with the warfare 
metaphor. Most individuals had no knowledge that they were at risk. Education 
was made more difficult as the initial response was, “I don’t have a database - 
that is something for web servers.” 

Slammer illustrates the need for coordinated action, which is clearly an ele- 
ment of the war metaphor. The spread of Slammer could be easily detected at 




Mental Models of Computer Security 109 



the network and thus could be completely stopped by blocking every 376- byte 
UDP packet to port 1434. In fact, two terrorist groups have claimed responsi- 
bility as would be appropriate in the warfare metaphor. However, in both cases 
technical flaws in their argument clearly disqualified the claimants. 

The public health or epidemic model also suggests coordinated action. Law 
enforcement failed and there was no economic incentive. 

Warfare metaphor is applicable in the critical need for speed in the response, 
the potential catastrophic results of a loss, and the focus on the control of re- 
sources. 

In communicating the need for citizens to be alert, and the importance of in- 
dividual action for collective security the warfare metaphor is powerful. However, 
the implication that the network is in a state of war implies that the individual 
may necessarily yield civil liberties. Warfare implies a temporary state and an 
identified state actor as initiator of an assault. Warfare is also a temporary state 
of affairs. 

5 The Market Model 

Security and network vulnerabilities can be seen as an economic failure. Secu- 
rity can be seen as a market failure, an externality (Camp & Wolfram, 2001). 
Computer security failures cause downtime and costs. 

Three common ways in which security from one system harm another are 
shared trust, increased resources, and the ability for the attacker to confuse 
the trail. Shared trust is a problem when a system is trusted by another, so 
the subversion of one machine allows the subversion of another. (Unix machines 
have lists of trusted machines in .rlrosts files) . A second less obvious shared trust 
problem is when a user keeps on one machine his or her password and account 
information for another. The use of cookies to save authentication information 
as well as states has made this practice extremely common. 

The second issue, increased resources, refers to the fact that attackers can 
increase resources for attacks by subverting multiple machines. This is most 
obviously useful in brute force attacks, for example in decryption or in a denial of 
service attack. Using multiple machines makes a denial of service attack easier to 
implement, since such attacks may depend on overwhelming the target machine. 

Third, subverting multiple machines makes it difficult to trace an attack from 
its source. When taking a circuitous route an attacker can hide his or her tracks 
in the adulterated log files of multiple machines. Clearly this allows the attacker 
to remain hidden from law enforcement and continue to launch attacks. The last 
two points suggest that costs to hackers fall with the number of machines (and 
so the difference between the benefits of hacking and the costs increases) , similar 
to the way in which benefits to phone users increase with the number of other 
phones on the network. 

A fourth point is the indirect effect security breaches have on users’ willing- 
ness to transact over the network. For instance, consumers may be less willing 
to use the Internet for e-commerce if they hear of incidents of credit card theft. 
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This is a rational response if there is no way for consumers to distinguish security 
levels of different sites. 

Because security is an externality the pricing of software and hardware does 
not reflect the possibility of and the extent of the damages from security failures 
associated with the item. 

Externalities and public goods are often discussed in the same breath (or 
at least in the same sections of textbooks). They are two similar categories of 
market failures. A common example of a public good is national security, and 
it might be tempting to think of the analogies between national security and 
computer security. National security, and public goods in general, are generally 
single, indivisible goods. (A pure public good is something which is both non-rival 
my use of it doesn’t affect yours and non-excludable once the good is produced, 
it is hard to exclude people from using it.) Computer security, by comparison, 
is the sum of a number of individual firms’ or peoples’ decisions. It is important 
to distinguish computer security from national security (i.e. externalities from 
public goods) because the solutions to public goods problem and to externalities 
differ. The government usually handles the production of public goods, whereas 
there are a number of examples where simple interventions by the government 
have created a more efficient private market such that trades between private 
economic parties better reflect the presence of externalities. 

SoBig is an exemplar of security as an externality. SoBig was motivated by 
the ability to subvert the computers of naive end users in order to implement 
fraud through phishing and spam. The creator of SoBog has not been detected by 
law enforcement. In fact, the lack of consideration of agency in computer crime 
laws creates criminal liability for those with computers subverted by SoBig as 
they are, in fact, spamming, phishing or implementing DoS attacks from their 
own home machines. 

Such an attack had been previously identified as a theoretical possibility the 
year before it occurred in the First Workshop on the Economics of Computer 
Security. 

The model of computer attacks as infection does not apply because the large 
financial motivation for creation of virus’ are not addressed. 

The model of computer crime as warfare fails in the SoBig example because 
the virus subverts but does not destroy. Conversely, 9/11 illustrates that the most 
effective attack against an advanced system is based on hijacking the system to 
leverage its destructive power. SoBig could be arguable leveraged as an effective 
terror attack. 

What Is the Problem? 

The different examples and metaphors suggest difference responses. Crime sug- 
gest investigation of every virus and worm. Crime also suggests minimal citizen 
responsibility with the possibility of neighborhood watch. The public health or 
metaphor implication requires coordinated public action with a fundamental 
requirement for retaining individual autonomy and civil rights. The criminal 




Mental Models of Computer Security 111 



metaphor requires tracking and prosecution. The concept of warfare requires 
tight constraints on the network, with limited autonomy and top-down con- 
trols. Non-technical individuals will take all the implications of the metaphors. 
Therefore when communicating with policy makers, media, and non-technical 
users the computer security expert should consider which metaphor correctly 
communicates user expectations. 
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System Administrators are users too! While the focus of human-computer in- 
teraction in security has to this point in time been on end-users, an important 
class of users who manage networked systems should not be ignored. In fact, 
system administrators may have more effect on security than individual users 
since they manage larger systems on behalf of users. End-users have become 
dependent upon the availability of services such as network-attached storage, 
authentication servers, web servers, and email gateways. These Internet-scale 
services often have thousands of hardware and software components and require 
considerable amounts of human effort to plan, configure, install, upgrade, mon- 
itor, troubleshoot, and sunset. The complexity of managing these services is 
alarming in that a recent survey of three Internet site showed that 51% of all 
failures are caused by operator errors [1]. 

Some of security administration is automated, however, the actual degree of 
automation is much lower than many people assume. Human operators are still 
very much in-the-loop. particularly during emergencies. Delay in the human- 
computer interface can adversely affect system security so an important goal 
is to enhance this interface to reduce the delay. Methods are needed to help 
security operators more quickly extract vital information from large amounts of 
data and translate this information into effective control actions. 

Information visualization tools can aid in any situation that is characterized 
by large amounts of multi-dimensional or rapidly changing data and has rapidly 
emerged as a potent technology to support system administrators working with 
complex systems. The latest generation of visual data mining tools and animated 
GUIs take advantage of human perceptual skills to produce striking results - em- 
powering users to perceive important patterns in large data sets, identifying areas 
that need further scrutiny, and enabling sophisticated decisions. But looking at 
information is only a start. Users also need to manipulate and explore the data, 
using real-time tools to zoom, filter, and relate the information - and undo if 
they make a mistake. In presentation and discussion I show successful examples 
of information visualization for security and hints of what is to come [2, 3]. My 
emphasis will be on examples of computer network intrusion detection and will 
highlight the challenges of providing universally usable interface designs. 
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1 The Role of User Expectations 

Software correctness alone is not sufficient to achieve security, as some viruses 
and e-mail worms have demonstrated. For example, the Love Letter worm caused 
widespread damage even though it did not exploit any software flaws. It spread 
because users were unaware that attempting to view an attachment would dam- 
age their files and propagate the worm. User expectations are an essential part 
of the definition of computer security. 

Users are constantly manipulating security policies through their interactions 
with computers. For instance, security expectations change, and hence security 
policies should change, whenever an application is installed, started, or stopped, 
and even when files are created, moved, or opened. So, merely upholding a static 
security policy is insufficient. Although much effort has been spent on methods 
for specifying security policies and formally assuring that programs will meet 
them, much more work is also required to understand how user expectations 
change over time and how to adjust policies accordingly. 

2 Resolving the Conflict between Usability and Security 

In most cases, security is not the primary purpose for using a computer. People 
use computers to communicate with friends, create art, manage money, prepare 
documents, and so on. Many of today’s applications handle security issues by 
introducing security prompts that interrupt the main task or by expecting users 
to adjust settings on hidden option panels. That is to say, they present security 
as a secondary task. Whenever security is secondary, it opposes the usability of 
the primary task: users find it a distraction that they would rather ignore, avoid, 
or even defeat. Creating such a conflict ensures that the battle for security is 
lost even before it has begun. 

But security measures need not necessarily make systems harder to use. The 
best security measures are incorporated into the user’s workflow and become 
part of the user’s main task rather than secondary tasks. Usability and security 
goals can be aligned by applying security mechanisms to accurately reflect the 
intent already expressed in user actions. 

The security and usability communities have one important thing in com- 
mon. They are both familiar with failed attempts to add security or usability 
as an afterthought to a completed design. Security practitioners know that true 
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security cannot be effectively added on to an existing system after the fact. 
Likewise, usability practitioners know that usability consists of much more than 
cosmetic touches added after a product is complete. Security and usability teams 
are likely to find themselves in conflict when either or both concerns have been 
treated as an afterthought. Systems that are designed without marginalizing ei- 
ther concern and incorporate both sets of considerations throughout the design 
process will yield the most successful results. 

3 Suggested Design Principles 

You may find the following guidelines helpful for thinking about designs for 
secure systems. When evaluating a system, ask whether the system meets these 
guidelines. If you discover a violation, the implications are probably worth some 
consideration. These principles are discussed and developed more detail in an 
earlier paper [1], 

Path of Least Resistance. The most natural way to do any task should also 
be the most secure way. 

Appropriate Boundaries. The interface should expose, and the system should 
enforce, distinctions between objects and between actions along boundaries that 
matter to the user. 

Explicit Authorization. A user’s authorities should only be provided to other 
actors as a result of an explicit user action understood to imply granting. 
Visibility. The interface should allow the user to easily review any active au- 
thority relationships that would affect security-relevant decisions. 

Revocability. The interface should allow the user to easily revoke authorities 
that the user has granted, whenever revocation is possible. 

Expected Ability. The interface must not give the user the impression of having 
authorities that the user does not actually have. 

Trusted Path. The interface must provide an unspoofable and faithful commu- 
nication channel between the user and any entity trusted to manipulate author- 
ities on the users behalf. 

Identifiability. The interface should enforce that distinct objects and distinct 
actions have unspoofably identifiable and distinguishable representations. 
Expressiveness. The interface should provide enough expressive power (a) to 
describe a safe security policy without undue difficulty; and (b) to allow users 
to express security policies in terms that fit their goals. 

Clarity. The effect of any security-relevant action should be clearly apparent 
to the user before the action is taken. 
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Many companies have brought new Internet payment systems to market, and 
many have failed. Innovative technology is important, but obviously not suffi- 
cient. Technology must match consumer interests and the changing legal envi- 
ronment. 

Cyphermint has developed an innovative Internet payment system called Pay 
Cash, and built a growing company to offer secure financial services. Cyphermint 
has distinguished itself by addressing the market needs of unbanked users, i.e. 
consumers in the US and around the world who are not adequately served by 
banks and credit card issuers. As a result, the system was developed for use from 
publicly-accessible user-friendly kiosks that support Internet shopping, bill pay- 
ment, and other financial services, in addition to use from the typical Internet- 
connected PCs. These kiosks have so far been deployed across the United States 
and Canada. 

The Pay Cash system [1] is based on the concept of electronic cash. Many 
talented researchers have sought ways to increase anonymity in such systems, 
sometimes at the expense of other traits desired by consumers or law-makers. 
Cyphermint responded to market demand and the events of September 11, 2001 
by eliminating anonymity for US consumers, and more generally, by develop- 
ing a flexible anonymity policy. This allows Cyphermint to accommodate user 
preferences and privacy and security laws that differ greatly from nation to na- 
tion. Moreover, even where accountability is considered more important than 
complete anonymity, privacy is always protected. 

Pay Cash includes novel techniques to generate trustworthy records of all 
transactions, allowing it to reduce the costs of dispute resolution, and detect 
many forms of fraud. Dispute resolution is normally expensive, so this greatly 
reduces real transaction costs, especially with micropayments. The system also 
allows users to send a variable number of “electronic coins” in a single message, 
so both large and small amounts of money can be transferred efficiently. 
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Abstract. We propose a new cryptographically protected multi-round auction 
mechanism for online auctions. This auction mechanism is designed to provide 
(in this order) security, cognitive convenience, and round-effectiveness. One can 
vary internal parameters of the mechanism to trade off bid privacy and cognitive 
costs, or cognitive costs and the number of rounds. We are aware of no previous 
work that interleaves cryptography explicitly with the mechanism design. 

Keywords: auctions, cognitive costs, cryptography, mechanism design, privacy 



1 Introduction 

Traditionally, cryptography has been used to securify an existing auction mechanism 
- e.g., an English auction - by adding a layer of security and privacy on top of it. 
We show that introducing cryptography at the mechanism design level allows one to 
achieve many desirable properties. More precisely, we will concentrate on online auc- 
tions that can be organised over the Internet or a local wireless network. The bidders 
use software agents that do the computationally intensive parts of the bidding, while 
the human beings control the prices. Now, the software agents have, compared to the 
human beings, the necessary computing power and “willingness” to participate in more 
resource-consuming auction types. This increases the flexibility of mechanism design, 
making it possible for the sellers (auctioneers) to choose between auction mechanisms 
that are infeasible to implement in conventional auctions. In particular, it becomes pos- 
sible to use public-key cryptography [DH76] to ensure both security (correctness in the 
presence of malicious sellers) and bid privacy. 

At the expense of mitigated computational costs, the importance of other mecha- 
nism properties will grow in online auctions. Cognitive costs of computing one’s val- 
uation will dominate over the computational costs. Therefore, to further simplify par- 
ticipation in online auctions, it is desirable to devise an auction mechanism that neither 
requires the bidders to do an elaborated precomputation to calculate their precise val- 
uation, nor extensive online calculations to react properly to the bidding strategies of 
other participants. 

Security is another important concern in auctions. Auction fraud was the most com- 
mon complaint to Internet Fraud Complaint Centre (IFCC) during the last years [CoI03] . 
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The number of frauds could be decreased by using an auction mechanism with better se- 
curity properties. For example, an online auction mechanism should be secure against a 
malicious seller and various possible attacks (shills, collusive bids, jump bidding). Ad- 
ditionally, only a minimal amount of information should be leaked to the seller or to the 
other bidders. Unfortunately, not all goals are achievable at the same time. As we will 
see in Section 3, one must trade off cognitive costs and resource-effectiveness, as well 
as cognitive costs and privacy. In particular, to have small cognitive costs, one should al- 
low a large number of rounds, but also introduce some (otherwise unnecessary) privacy 
leakage. 

We argue that a good auction mechanism should emphasise privacy and security 
against the seller over cognitive costs. Hence, when constructing an online auction 
mechanism, one should first make sure that the auction satisfies the desired allocation 
criteria, is secure against sellers and (almost-ideally) privacy-preserving. The next goal 
is to mitigate the cognitive costs as much as possible, without hurting security against 
the seller and bid privacy. For example, to minimise the (online) cognitive costs, it is 
desirable to have a non-manipulable mechanism - otherwise, the strategies of partici- 
pating bidders might become arbitrarily complex. On the other hand, also some infor- 
mation about other bidders’ valuations must be leaked for this purpose. Finally, one 
should make sure that the mechanism is sufficiently effective - that is, that it does not 
have more (and desirably, has less) rounds with human interaction than say proxy bid- 
ding, another auction mechanism tailored for agent-mediated online auctions, or require 
super-polynomial-time computations. 

We will propose a new auction mechanism that is based on those guidelines, but 
we will also introduce parameters that make it possible to have a conscious trade off 
between the privacy and the cognitive costs, and between the cognitive costs and the 
number of rounds. We will discuss other desired and existing properties of (online) 
auctions in Section 3. There, we will point out why currently known mechanisms are 
less than ideal. 

Briefly, every round of the new mechanism is a second-price auction (i.e., a Vick- 
rey auction). This suffices to make the mechanism non-manipulable in the private value 
model, as well as in some interesting special cases of the common value model. Second, 
during every round only m — 1 bids are revealed, where m is a public auction parameter. 
The revelation helps to alleviate cognitive costs (compared to a Vickrey auction), and 
the hiding of other bids protects privacy (compared to an English auction or proxy bid- 
ding). Third, this auction mechanism is parameterised by the cognitive error coefficient 
0 < £ < 1, that forces the bidders to precompute their values at least to some extent 
and thus has the potential to reduce the number of rounds. Additionally, the described 
mechanism is cryptographically protected, and includes some sensible finishing condi- 
tions that provide protection against shills and collusive bids. Some protection is also 
provided against jump bids. 

The proposed mechanism has the same privacy properties as the cryptographically 
secured Vickrey mechanism (indeed, the choice m = 2 and e = 0 results in a Vickrey 
auction), while the cognitive costs are comparable to the ones in English auctions. See 
Section 4 for a fuller description of the new mechanism, followed by detailed analy- 
sis. Finally, the new mechanism seems to be the first one that has been designed from 
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scratch to provide security against the seller and bid privacy, and to minimise cognitive 
costs at the same time. 

The difference from the well-known methodology of adding a cryptographic pro- 
tocol on top of an existing mechanism is in that we are able to overcome some weak- 
nesses of classical mechanisms. Therefore, our work has relevance to classical auction 
theory. We hope that it will stimulate more work in the direction of designing new auc- 
tion mechanisms suited for online auctions. We also expect to see some convergence 
between the until-now separate lines of research on the game-theoretic, cognitive and 
cryptographic properties of auctions and of mechanisms in general. 

Road-Map. Section 2 introduces some necessary cryptographic preliminaries. Sec- 
tion 3 gives a short overview of the different goals of auction mechanisms. Section 4 
describes the new auction mechanism, followed by discussion and analysis. Section 5 
explains the difference with related work. 



2 Cryptographic Preliminaries 



Public key cryptosystem is a triple 77 = ( Gn,E,D ) of key generating, encryption 
and decryption algorithms. Commitment scheme r = (Cl r- C) is a tuple of key gen- 
erating and commitment algorithms. We use standard notations like E^(m: r) and 
Cif (to; r) to denote encryption/commitment of to by using a newly generated random 
value r. A public key cryptosystem 77 (resp., a commitment scheme /') is homomorphic 
if E K (m 1 -,r 1 )E K (m 2 -,r 2 ) = E K {mi + m 2 ',r 3 ) (resp., C K (mp, ri)C K (m 2 -, r 2 ) = 
Ck(tti i + ?n 2 ;r 3 )) for some r 3 . For our purposes, we will use the homomorphic 
Damgard-Jurik cryptosystem [DJ01] that allows to flexibly encrypt large plaintexts. We 
will also use the homomorphic Damgard-Fujisaki (DF) statistically hiding and compu- 
tationally binding integer commitment scheme [DF02] that allows to commit to arbi- 
trary integers. 

One can build efficient zero-knowledge arguments for a large class of languages by 
using an integer commitment scheme, as shown recently in [Lip03a]. In particular, there 
exist very efficient arguments for showing that (a) A committed number p belongs to 
an arbitrary finite interval [7, h\. We call the corresponding argument a range argument 
and refer to [Lip03a] for precise proofs; and (b) A committed number has the form IP 1 , 
where p £ [7, h] . We call the corresponding argument a range argument in exponents 
and refer to [LAN02,Lip03a] for a description. Due to the properties of the DF commit- 
ment scheme, the described zero-knowledge arguments will be statistically hiding and 
computationally convincing. This suits well the auction scenario, since one might want 
to have bid privacy for a long time, while the binding (and convincing) property is only 
needed for the duration of the auction. 

We will also need to give range arguments (in exponents) for encrypted numbers. 
For this, we will assume that one accompanies all encryptions and operations on ci- 
phertexts with similar commitments and operations on committed values. Now, when 
one needs to argue that the encrypted value satisfies some properties, one argues on 
the committed value instead, and then argues that the two values are equal. The latter 
argument is very standard. 
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3 Auction- Theoretic Goals for Mechanism Design 

An auction mechanism is a protocol between the auction participants, with a moti- 
vational ingredient of monetary rewards for “proper” actions; in particular, it is re- 
quired that nobody should have a negative payoff when following the auction mech- 
anism. Some well-known mechanisms are English auctions (first-bid ascending auc- 
tions), Vickrey auctions (second-price sealed-bid auctions) and first-price sealed-bid 
auctions. We refer to [Kri02] for an overview of auction mechanisms. Auction theory 
usually assumes either the private value model (the bidders know their values or can 
compute them without using information about others’ values) or the common value 
model (the valuation has a common component that is only partially known to bidders). 
We call a participant (either a bidder or the seller), who dutifully follows the auction 
mechanism and does not share her private information with other parties, honest. 

An ideal auction mechanism should aim for the following properties. First, with re- 
spect to allocation, usually the goal is either Pareto-efficiency or revenue maximisation. 
The former is equivalent to maximising the social welfare, i.e., awarding the item to the 
bidder who values it most, while the latter corresponds to maximising the seller’s profit. 
Sometimes, these two goals are in conflict, in which case a trade-off between them can 
be considered. Second, resource-effectiveness: The auction takes a small number of 
human-interacted rounds. The auction rules are sufficiently simple so that the seller and 
the bidders can follow them in “reasonable” time. Third, security against the (mali- 
cious) seller: The seller cannot increase the final price or change the winner without 
being caught. Fourth, privacy: No information about the bids of honest bidders is re- 
vealed, except the information that can be derived from the winner’s identity and the 
contract price. Fifth, minimal cognitive cost: The cognitive cost of computing the valu- 
ation is small. Other properties are security against shills, collusive bids, jump bidding, 
etc [Kri02], 

The cognitive cost of strategy planning is especially important in online auctions 
[UPF98,PUF98]. Since other participation costs decrease considerably due to the use of 
software agents, cognitive costs of computing one’s valuation start to dominate. There- 
fore, it becomes important to decrease cognitive costs by devising an auction mecha- 
nism that neither requires the bidders to do an elaborated homework to compute their 
precise valuation and strategy, nor requires them to do extensive online calculations to 
react properly to the bidding strategies of other bidders. Such an auction mechanism 
should still have other desirable properties. 

One must trade off between some of the mentioned properties. Clearly, the more 
information is leaked during an auction, the smaller is the cognitive cost. In most cases, 
this results in a higher seller’s revenue [MW82] and possibly more efficient allocation in 
the presence of bounded-rational bidders. Usually, this means that multi-round actions 
with gradual information leakage are therefore revenue-maximising and also guarantee 
the best results for bounded-rational bidders. An interesting alternative approach was 
presented in [PWZ00], who constructed a two-round second-price sealed-bid auction 
PWZ mechanism with the same seller revenues as the English auctions, but with the 
drawback (from the privacy standpoint) that the two highest bidders of the first round - 
who continue in the second round - obtained the the distribution of first round losers’ 
bids. The PWZ mechanism is resource-effective, and also slightly better than the Vick- 
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rey mechanism in cognitive cost. However, if the bidders are bounded-rational, then 
the PWZ mechanism is not Pareto-efficient, since all but 2 players do not get a second 
chance to revise their bids, and the remaining 2 players only get one more chance for it. 

Proxy bidding is a designated online auction mechanism that assumes that all bid- 
ders use software agents with a fixed upper bound on the price. The agents participate in 
an English auction until this upper bound has been reached. Only after that the agents 
consult with their owner, who has to decide whether to continue to bid (by setting a 
new upper bound) or not (by passing). This can last many rounds, until the final price 
does not rise anymore. Clearly, proxy bidding has smaller cognitive costs than one- 
shot auctions, and on the other hand, has smaller participation costs (due to the smaller 
number of human-interactive rounds) than English auctions. Hence, proxy bidding of- 
fers a balance between the cognitive cost and the resource-effectiveness of the English 
and Vickrey auction mechanisms. This may explain the dominance of proxy bidding in 
Internet auctions: as early as in 1999, Lucking-Reiley surveyed 142 auction sites and 
found that 65 of them use a form of proxy bidding [LucOO, Section VIII. A]. 

However, even proxy bidding has its downsides. In particular, it does not solve the 
problem of revealed statistics even when cryptographically secured. (E.g., identities of 
persons who participate at every time moment, and therefore also partial information 
about their valuations, are revealed to the seller.) Moreover, if many bounded-rational 
people participate, proxy bidding can have a large number of rounds. So, while such a 
multi-round mechanism together with an adequate cryptographic protection increases 
privacy and efficiency compared to pure English auctions, it is still not ideal. 

Bid Privacy and Security against Sellers. Clearly, a malicious seller can change the 
results of an auction to his benefit when it is not possible to verify his actions or when 
he obtains too much information about bidders’ valuations. This is commonly seen 
as a reason why Vickrey auctions are not employed in practice [RTK90,RH95]. This 
observation has motivated a huge body of research on cryptographic Vickrey auction 
schemes, starting with [NS93], Clearly, protecting privacy is important also in other 
auction mechanisms. However, the PWZ mechanism, proxy bidding and English auc- 
tions are (designed to be) “bad” from the privacy viewpoint, since they intentionally 
reveal the bid statistics to alleviate the cognitive cost. 

We believe that a good auction mechanism should emphasise privacy and security 
against the seller over the cognitive costs. Our (informal) reasoning behind this belief is 
that it is easier to define what is the privacy (and what is a privacy leak) than to model 
the cognitive costs, as the latter vary widely from one bidder to another. For example, if 
instead of a single bid, information about two competing bids will be leaked, then this 
is certainly a privacy leak, but can bidders use this additional information to adjust their 
estimate of their own values? Probably yes, but how much exactly do they gain? If one 
cannot guarantee that a deliberate loss of privacy will decrease the cognitive costs, it is 
better not to lose any. (Cognitive cost is modelled in some publications [Par99,LS01], 
but there the authors are more concerned with the agents doing the computations, not 
the human beings.) 

Cryptographic Auction Schemes. Cryptographic auction schemes are cryptographic 
algorithms to support specific mechanisms, that, when correctly followed by an honest 
party, ensure that certain well-defined privacy/security-against-the-seller properties will 
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Table 1 . Comparison of different existing auction mechanisms and the new mechanism in the 
mentioned five categories: A “+” means that the mechanism performs well in this category, “(+)” 
means that the mechanism enjoys slightly better properties than the unmarked mechanisms, and 
means that this property is undesirable by the design. The first column refers to efficiency in 
the private value model. 



Mechanism 


Pareto-e. 


Round-effect. 


Sec. against Auct. 


Priv. 


Cogn. c. 


English 


+ 






- 


+ 


Dutch 






+ 


+ 




First-price 




+ 


(+) 


(+) 




Vickrey [Vic61] 


+ 


+ 








Proxy bidding 


+ 


(+) 




- 


+ 


PWZ [PWZOO] 


+ 


+ 




- 


(+) 


Secure Vickrey 


+ 


+ 


+ 


+ 




Secure proxy bidding 


+ 


(+) 


+ 


- 


+ 


The new mechanism 


+ 


(+) 


+ 


+ 


+ 



be held w.r.t. her. In particular, a good auction scheme must ensure that neither a cheat- 
ing seller nor cheating bidders can affect the allocation. Andrew Yao [Yao82] was the 
first to consider cryptographic (English) auctions. Cryptographic auction schemes for 
different auction mechanisms have been designed since then. (See [NPS99,LAN02] for 
some examples and an overview of the related literature.) In particular, cryptographic 
Vickrey auction schemes satisfy all desired properties that were described in the be- 
ginning of this chapter, except that they do not minimise the cognitive costs. The best 
cryptographic auction schemes guarantee security against the seller and privacy, to the 
extent required by the auction mechanism. 

Summary of Auction Mechanisms. There are many well-known auction mechanisms, 
like English. Dutch, first-price sealed-bid and Vickrey [Vic61] auctions. (A description 
of these mechanisms can be found in [Kri02].) Different auction mechanisms satisfy 
different desiderata that are summarised in Table 1 . (Note that we do not consider rev- 
enue maximisation: generally speaking, it is not achieved by any of the standard mech- 
anisms, and also it requires more information about the bidders’ valuations that we are 
willing to assume.) We do not know of any mechanism-scheme combination that satis- 
fies all the previously described auction desiderata. Note that not all five desiderata, as 
described in the beginning of the current section, are equally important in all situations. 
Traditionally, one has mainly been stressing the first two properties. We will concentrate 
on online auctions, where the last three properties will gain in importance. 

4 New Mechanism 

4.1 High-Level Description 



In this section, we describe the new cryptographically secured multi-round sealed-bid 
auction mechanism. Discussion and explanation will follow. 
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Notation. Let P = {iq, . . . , vy } be the set of possible valuations, e.g., {0.01, 0.03, . . . , 
0.90,0.94,1.00}; in practice, this means that some valuations are rounded off. The 
auction consists of the setup phase, rounds 1 , ,R (where R is not fixed in advance), 
and the closing phase. 

Setup Phase. Assume that (f> is a monotonic bijective function from P to the set of 
actual bids [0, V — 1] that is sent - in a signed form - to the bidders by the seller S 
during the auction setup. (<j> may be unknown by the auction authority A.) The mech- 
anism is parameterised by public values m > 2 and e < 1, selected by the seller S 
and announced to everybody before the auction. Intuitively, £ specifies to what degree 
the auction takes on the character of an English auction (e — > 1) or a Vickrey auction 
(e = 0), and m specifies the amount of deliberately leaked information. There are B 
bidders 1, . . . , B, one seller S and the auction authority A. Anybody can act as S (this 
means in particular that no trust can be put on S ) while the authority is an established 
business party with a reputation history. The participants obtain a committing key, an 
encryption key and a signature key of the parties, with whom they will start to com- 
municate. Otherwise, auctions are set up as usual, in particular by publicly announcing 
details such as the closing date. 

Let (X{, . . . , Xg) be the list of bids made in the ?’th round, r > 1, in non-increasing 
order, and let Y[ be the bidder who made the bid Xf. Note that X[ £ [0, V — 1] for all 
r and i. We assume that bi = X® = 0 and let (1}°) be an arbitrary permutation of all 
bidders. 

Auction Round r > 1. Before the first round, all bidders receive a signal s, about 
their true values. At the beginning of the rth round, r > 1, the bidders compute an 
estimate e\ £ P of their true private values that depends on their initial signal and on 
public information, obtained in the previous rounds. Intuitively, for rational agents it 
should be the case that (1 — e)vi < e\ < Vi. Bidders enter b \ = (f>((3i(el)) into their 
software agent, where /3 is the ith strategy function. After that, the agents participate in 
a cryptographically secured sealed-bid auction protocol between bidders, the seller and 
the authority. Every bidder i submits an encryption of b]\ and argues in zero-knowledge 
that 






( 1 ) 



At the end of rth round, the authority outputs a signed tuple view(r) := (X£ , . . . , X^-, 
Ck(X[; p r )) for a new random value p r . The authority accompanies this with a non- 
interactive zero-knowledge argument that view(r) is correctly computed. All this is 
published in an authenticated manner to all bidders, who can do independent verifica- 
tions. 

Closing Phase. The auction lasts R > 2 rounds and stops iff X,? = X} 1 ' 1 . (This is 
verified by all bidders by using the published zero-knowledge arguments.) The contract 
price will be XJp . Then Yf 1 is established by using another (interactive) cryptographic 
protocol. If there is a tie, one of the winners is selected by using, e.g., the equal proba- 
bility rule. 
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4.2 Cryptographic Implementation 

Every round of the new mechanism is a cryptographically secured 2nd-price auction 
where instead of only the second highest bid, m — 1 bids are revealed. Next, we outline 
some cryptographic implementation details. We will base our implementation on the 
LAN mth-price auction scheme [LAN02], although we stress that this is just an example 
cryptographic implementation. Additional tools [LAN02] can be employed to make the 
implementation secure against replaying attacks. 

To simplify the zero-knowledge arguments, we will assume that bid 0 corresponds 
to some absolute minimal price p m i n , and that = d ■ — for some 

fixed d. (This same assumption makes also sense from the psychological and auction- 
theoretic viewpoints, see Section 4.3.) In this case, cfr 1 (b) = Pmin( and the left 

side of ( 1 ) simplifies to the requirement that > (— 0 r b\ < d+bj. 

As in the LAN scheme, we will accompany all encryptions with corresponding 
commitments. Assume K is A’s public key. In every round r, the ith bidder sends an 
encryption of B bi to the seller 5, by using an authenticated channel. This is accompa- 
nied by an efficient non-interactive statistical zero-knowledge (NISZK) argument that 
the bid was correctly formed [LAN02] (this is a range argument in exponents), and 
that (1) holds (this consists of two range arguments). These arguments can be shortened 
by using a different encoding function Zsibi) instead of B bi [Lip03a]. Both the bids 
and the NISZK arguments are stored on a cryptographic bulletin-board that is made 
publicly available to all bidders. (They can also simply be sent to all bidders.) 

Next, the seller forwards the product of encrypted bids to the authority, who de- 
crypts the bids, finds out the m highest bids and sends view(r) back to the seller over 
an authenticated channel; note that Xf is not revealed to the seller. This is accompa- 
nied with an NISZK argument that Ck(X[; p r ) commits to the highest bid, and that 
(X%, ■ ■ ■ , are next m — 1 highest bids (this can be done as a straightforward 
extension of the protocol from [LAN02] for proving that Xis the mth highest bid), 
and an NISZK range argument for either X £ = X 2 1 or X 2 > X 2 ~ 1 . After verify- 
ing the NISZK arguments, the seller posts view(r) together with the NISZK arguments 
and her own and authority’s signatures on the bulletin-board. The bidders verify the 
signatures and the NISZK arguments. The bulletin-board contents (that is, the tuple 
(Ck (£>i), • • • , CK(b r B ), view(r)) together with the signatures and NISZK arguments) is 
stored by all bidders. 

In the closing phase, all bidders verify the correctness of closing and that the win- 
ning price was determined correctly (another range argument). Y 2 can be established 
by using a method proposed in [Lip03b]: namely, all bidders and the seller participate in 
a proxy verifiable private equality test, after what the seller gets to know which bidder 
bid X 2 without getting to know the value of Xp. 

Alternative Cryptographic Implementations. Alternatively, one can implement the 
described auction mechanism by using Yao’s model of general two-party computa- 
tion [Yao82]. This would involve the design of a specific circuit that is suitable for 
the described mechanism, as successfully done by Naor, Pinkas and Sumner [NPS99] 
for mth-price auctions, although in the case of the new mechanism, the circuit will be 
considerably larger. It is also not immediately clear how to extend the Naor-Pinkas- 
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Sumner scheme efficiently to a multi-round scheme, where the number of rounds is not 
bounded. The LAN auction scheme is more communication-efficient (especially when 
the number of bidders is large), while the Naor-Pinkas-Sumner scheme, as corrected 
by [JS02], will not reveal any unwarranted information to A. Also, one can use any 
of the available mth-price cryptographic auction schemes that rely on threshold trust, 
although not all of them might be flexible enough to be used with the new mechanism. 
Finally, we share the viewpoint of [NPS99,LAN02] that threshold trust between > 2 
machines, possibly operated by the (occasional and thus untrusted) seller himself is not 
sensible in most of the auction scenarios. 

4.3 Discussion 

The Role of e. We call the bidders who are able to —approximate their true valua- 
tion e -rational. Intuitively, one may assume that it is common knowledge that non-e- 
rational rational bidders will not participate. A value of e relevant in practice can be 
0.1 . . . 0.6. Setting e <— 0 would result in Vickrey auctions. A smaller e will raise the 
time-efficiency of auctions and (as we will see) make the auctions less subject to jump 
bidding, while a greater e has the potential to attract more bounded-rational bidders. 
However, if the seller wants to have a greater participation at the expense of risking to 
have longer auctions and jump bidding, she might even set e <— 0.999. 

The Function tp. As we already saw in Section 4.2, a suitable function <f> can simplify 
the cryptographic implementation. The specific choice of cj) proposed in Section 4.2 
makes sense from both psychological and auction-theoretic viewpoint. Really, people 
are often thinking about the object’s value on the logarithmic scale (“the first item is 
worth 3 times more than the second item”) rather than on the linear scale. One should 
note, however, that this choice of function <fr requires the seller to set a lower bound 
Pmin = </> _1 (0) and an upper bound p max = — 1) on the selling price, although 

the difference between these two values can be made almost arbitrarily large, since 
</> _1 (V — l)/</> _1 (0) = _1 )/ d . Assuming, say, that e = 0.95, V = 201 and 

d = 100, this would make the price increase by 3% when bid is increased by 1, and we 
would have p max ~ 400p m i n . This setting seems to be perfect for most auctions. 

Equilibria. Setting b\ > 4>(c'i ) can occasionally result in negative payoffs. If the bid- 
ders are conservative then f}{e\) < v. t , so b\ < Moreover, in many practically 

relevant cases the strategy of bidding strictly less than is weakly dominated, so 
truth-telling results in a non-dominated equilibrium. For instance, if the bidders’ val- 
ues are private, i.e., the current price does not affect a bidder’s estimate of the value, 
the usual argument for Vickrey auctions can be used to show that bidding c/>(e[) is a 
dominant strategy. 

Moreover, truth-telling can be dominant in certain special cases of the common 
value model as well. In particular, we can show that this is the case for the “experts 
vs. amateurs” model. In this model, the valuation of the bidder i is of the form t; t = 
Wi + Tzi, where v-i, Zi are independently but not necessarily identically distributed 
random variables, and T is a random variable (same for all bidders) that can be equal to 
0 or 1. Some bidders (let us call them experts) know the actual value of T, while others 
do not. 
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This model captures the markets in which some users (e.g., art dealers in an art 
auction) can determine whether the object being sold has some desired properties (e.g., 
whether a coin is fake or authentic), while others do not have this ability. In these 
markets, proxy bidding with a fixed deadline is susceptible to “sniping”, i.e., experts 
bidding in the very last minute to prevent others from observing change in the posted 
price and adjusting their values (and hence their bids). This may result in inefficient 
allocation, and thus it is desirable to have a mechanism that does not encourage sniping. 

Note that, intuitively, when T = 1, the experts may want to shade their bid to 
conceal this fact: it might be the case that when non-experts bid just Wi, the expert 
gets the object even though his own value is not particularly high, while if the others 
knew that T = 1, they would outbid him (in some sense, this is similar to sniping). 
Fortunately, we can show that because of our choice of finishing criteria our scheme 
does not have this problem, and, in fact, always achieves efficient allocation assuming 
conservative bidders. 

Theorem 1. Assume that all bidders are consen’ative, i.e., they avoid strategies that 
may lead to negative payoffs. Then consen’ative truthful bidding ( experts bid Wi + T z „ 
others bid Wi if they cannot determine T from the outcomes of the previous rounds, 
and Wi + T Zi otherwise) is a Nash equilibrium, that is, no single bidder can gain by 
cheating. 

Proof. Consider the behaviour of bidder 1 in the first round assuming that everyone 
else bids truthfully. If bidder 1 is an amateur, or T = 0, the usual argument for Vickrey 
auctions applies. Now, suppose that T = 1. If bidder l’s truthful bid would not be 
the highest bid (assuming everyone else bids truthfully). Then bidder 1 cannot win the 
auction at a price that is lower than his value, so he might as well bid truthfully and 
lose. Hence, let us assume that bidder l’s truthful bid is higher than all other bids. Let 
b = max{& 2 i ■ • • , b^}. Suppose that bidder 1 decides to shade his bid. If he bids more 
than b (but less than his true value), the public information will be the same as in the 
case of truthful bidding, so this will not help. Alternatively, he can bid less than b, 
which means that he does not win the current round. Then, it might still be possible for 
everyone to derive that T = 1 (for instance, there may be several other experts who bid 
truthfully), so in the next round everyone will bid Wi + Tzi, and the setting is that of 
ordinary Vickrey auction. Finally, it might be the case that when bidder 1 cheats, others 
cannot be sure that T = 1. Then they will not change their bids, and unless bidder 1 
bids more than b, the auction ends and he loses. To avoid that, he himself has to bid 
more than b in the second round, so we are back to square one. □ 

Cognitive Cost. Our mechanism becomes Pareto-efficient as soon as all bidders are able 
to calculate their valuations with an arbitrary high but a priori known accuracy, given 
that the bidders are sufficiently rational to avoid a limited number of well-specified 
“bad” strategies. More precisely, one can easily prove the next theorem: 

Theorem 2. Assume that the underlying cryptographic implementation is secure. The 
described auction mechanism is Pareto-efficient with overwhelming probability if (a) 
The highest valuator is honest and in particular double-checks all zero-knowledge ar- 
guments and signatures, (b) The ith bidder never bids more than (j>(vi); and (c) The 
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highest valuator does not set 6/ < X 2 1 if Vi > (j) 1 {X1 2 1 ) *, (d) The highest valua- 
tor is e-rational. 

Proof. Assume that bidder 1 had the highest valuation, and assume that (a) holds. Then 
it is known that after the closing Xf = X.f 1 , and by (c), no bidder but 1 has a 
valuation higher than _1 ). By (a), the highest valuator still participates in the 

round R, and by (d), he is allowed to place a high enough bid. Finally, by (b), v y r > 
(Xf _1 ) and thus Y-f is the highest valuator. □ 

The virtue of this result is to make it precise when exactly the highest valuator will not 
obtain the item. In particular, it happens if his behaviour is in some sense quite irrational, 
the cryptographic implementation is insecure or other bidders are not conservative. In 
cryptography, it is important to give the security proofs under minimal assumptions, 
and our approach is the same. Moreover, all our assumptions are feasible. 

Importantly, one can trade off cognitive cost and privacy by publishing the tuple 
(X£ , . . . , X jjj, m > 2 instead of just XJ. Moreover, the mechanism can be gener- 
alised to reveal some other function of the bid vector, e.g., the number of bids exceed- 
ing a given threshold, the number of bidders who increased their bids compared to the 
previous round, etc., provided that this function can be efficiently computed in a se- 
cure manner. Depending on the structure of bidder’s valuations, this can decrease the 
cognitive costs significantly, while having a negligible effect on privacy. This allows 
for an almost continuous tradeoff between the cognitive costs and the privacy. How- 
ever, whenever a privacy leak can be quantified much more easily than the possible win 
in cognitive costs (and this usually the case), we would recommend to use the value 
to = 2 . 

Computational Efficiency. The two inequalities in Equation (1) are introduced, in par- 
ticular, to increase the computational efficiency. The leftmost inequality enforces bid- 
ders to do at least some homework to estimate their valuation with precision e. This can 
decrease the number of rounds. The rightmost inequality enforces the sequence ( if ) to 
be nondecreasing in r, and hence also helps to decrease the number of rounds. Bidding 
b\ = intuitively equals to passing: by doing so, one is guaranteed not to win at 
round r , unless his bid in round r — 1 was the highest one. The chosen solution is su- 
perior to the one where the bidders can pass if their bids are not high enough, since in 
this case some of the private information of bidders will become public. (Additionally, 
it would make it possible the bidders to collude by signalling each other.) 

One can additionally decrease the number of expected rounds by requiring that if If 
increases, then ^ _1 (6[) > (1 + <5)0 _1 (6[ _1 ) for some public value S that may depend 
on the currently second highest bid X£ _ 1 . This solution is common in English auctions, 
and can also be employed in conjunction with the described mechanism to achieve 
additional effectiveness. However, since we assume that the bidders are conservative, it 
also has the potential to decrease the revenues of the seller by a factor of (1 + S). 



1 We can make this assumption weaker, by assuming that he does not set b/ < X( _1 if Vi > 
(1+ S)^ 1 for some 8. Then the scheme will be 5-efficient, i.e., the value of the bidder 

who gets the object is within a factor of 1/(1 + 5) from the highest value. 
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4.4 Security Analysis 

When a secure cryptographic implementation is used, the auction will be correct and 
privacy-preserving. Additionally, it will have some mechanism-centric properties that 
are not shared (say) by cryptographically secured English auctions. 

We say that a bidder is antisocial if, maybe knowing that he cannot win, he bids 
more than his value solely to increase the contract price of other players [FB01]. That 
is, an antisocial bidder acts not to maximise his utility, but to minimise the utility of 
other players. We assume that antisocial bidders are conservative: that is, they will not 
bid more than the maximum of X^ 1 and their own valuation. (They do not risk to 
come out with a negative payoff.) A shill is an antisocial bidder that is manipulated by 
the seller so as to drive up the price. 

Theorem 3. Suppose that the bidders ’ signals are sufficiently independent , namely, 
that from observing his own signal and the public information . . . , Xfff 1 ), a 

bidder j cannot conclude with certainly that another bidder i has a value u, such that 
<j>(vi) > X£ _1 + 5 for a fixed value of S. Then the proposed auction mechanism is se- 
cure against shills and antisocial bidders, as soon as all signatures and zero-knowledge 
arguments are verified. 

Proof. In the round r, knowing the value X£~ x , a shill j will make some bid b j > 
4>{e r f). If b r j < Xr£ — 1 then the second highest bid will not increase. Assume y>xr- 
According to our assumption, j cannot be sure that his bid is lower than the highest bid, 
or that in the next round someone will be willing to bid more than If.. So, there is 
a chance that he will have to pay the price himself, and, being conservative, he will 
refrain from submitting a bid that is higher than his value. □ 

Security against Collusive Bids. For m = 2, the proposed auction mechanism is secure 
against collusive bids by the same reasons why it is secure against shills’ bids: namely, 
the collusive bidders must bid more than the current highest bid to get their signal 
through. However, this also means that they might have to pay for the item. This is 
at least the case when the previous round highest bidder had approximated her value 
sufficiently precisely. 

Security against Jump Bidding. English auctions are subject to jump bidding, where 
one bidder bids very high in the beginning of the auction just to scare other bidders 
away. Our previous argumentation that in the first-price auctions the bidders are not 
motivated to jump-bid does not clearly apply always - for example when Y\ knows the 
approximate value of X 2 ■ 

While the described auction mechanism does not feature complete security against 
the jump bidding, it provides an approximate protection. First, being a second-price 
auction, it is secure against the case when one bidder jump bids, since only a (relatively 
moderate) X 2 would be published and other bidders would still have a chance to over- 
bid it. Now, assume that at least two bidders jump bid, say bid within a fraction 1 — A 2S> 
1 — e of their real valuations. In this case, <f>~ 1 (X 2 ) > (1 — A) V 2 , and the minimum price 
Yf has to pay is 1 (AT 2 ) > (1 — S)V 2 instead of V 2 . This “worst” case would only 
happen in the case ^ _1 (Xj L ) > V 2 , assuming that Yf would over-bid X{ otherwise and 
that Yf and Yf do not collude. 
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Thus, in this case the highest valuator can get the item 1/(1 — S) <C 1/(1 — e) times 
cheaper than in the case when somebody else would also be doing the homework. The 
smaller is e, the less can be gained by jump bidding. A cautious seller might have £ 
to be relatively low if she is afraid of jump bidding in the case when the richest client 
is also the most diligent. (Alternatively, she can just increase the initial price.) On the 
other hand, if rich but oblivious customers are to be expected, a larger £ will be more 
beneficial to the seller. 

Adding another finishing criterion to the described auction mechanism makes it 
secure against nonconservative shills but insecure against jump bidding. Namely, if we 
say that the auction is finished if either X ^ = X j R_1 or X^ = X ^ 1 , then a shill has 
an effect on the auction only when he bids more than X\' ! 1 (and thus wins the auction). 
On the other hand, in this case a jump-bidder would be guaranteed to win the auction 
with his bid X^~ 1 unless a higher valuator will bid more than X R 1 (without knowing 
this value!) during the next round. 

Security against Premature Finishing. A possible alternative to requiring everybody 
not to decrease their bids over time is to instead have the same scheme where this 
requirement is replaced by declaring Y^~ l as the winner of the auction whenever 
< X.j 1 . However, then the highest bidder Y R 1 could in some cases prematurely 
finish the auctions (and thus decrease the revenues of the seller) by bidding X^ -1 in 
round II. In the case when only Y R = Y. R 1 will bid > X,f _1 at round R, X R will be 
equal to X R -1 . If Y^ -1 bid less than X f r ~ 1 in round R, Y^ 1 will obtain the item for 
</’ -1 (X.f ~ 1 ), which might be less than the valuation of Y 2 ft_1 . The mechanism devised 
in this paper does not have this problem. 

5 Comparison with Related Work and Conclusions 

To our knowledge, the first paper to emphasise the cognitive costs in online auctions is 
by Parker, Ungar, and Foster [PUF98]. Their paper analysed the existing mechanisms 
from this perspective and concluded that English auctions are the best in the context 
of bounded rationality. A large body of research has followed. However, it mostly 
consisted of papers that did not actually propose new mechanisms, but instead suggested 
criteria for choosing between already existing and well-known mechanisms. Moreover, 
the emphasis of the above-mentioned papers is on fully autonomous agents, and it is 
assumed that the agents can somehow quantify their computational costs of regulating 
their beliefs. This is often not the case. 

A completely different line of research has been focusing on the security against 
sellers and privacy properties of the online auctions. Various authors have been propos- 
ing a wide range of cryptographic schemes that guarantee security against sellers and 
privacy of various auction mechanisms under various assumptions, including and ex- 
cluding threshold trust. Again, the focus has been on the existing mechanisms. 

Our approach is different. We first asked what is relevant in online auctions. Our 
conclusion was that security against sellers and privacy are more important than cog- 
nitive costs (since those are hard to model precisely), while the latter is more impor- 
tant than the computational effectiveness (e.g., the number of rounds). We proposed a 
new mechanism that has all the mentioned properties, but puts emphasis on security 
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over cognitive convenience, and on cognitive convenience over computational conve- 
nience. Moreover, the described mechanism makes it possible to trade off cognitive 
costs versus computational costs (by changing the parameter e), and cognitive costs 
versus privacy (by increasing the amount of published data (X ^, . . . , X^)). It has long 
been argued that security issues and huge cognitive cost are two main reasons why non- 
manipulable auction mechanisms like the Vickrey auction are not widely used in prac- 
tice. The scheme described in this paper mitigates both concerns and is non-manipulable 
whenever Vickrey auctions are. 

The described mechanism can be used together with any reasonable cryptographic 
auction scheme. We described an implementation based on [LAN02], since we agree 
with its authors that avoiding threshold trust is more important than its bid statistics 
leakage to an established authority. Moreover, the scheme of [LAN02] is very efficient 
and easy to understand. A full description of, say, the Naor-Pinkas-Sumner [NPS99] 
auction scheme would have made the paper less modular. However, several other cryp- 
tographic schemes can be used here. 

Finally, one can simplify the proposed mechanism-protocol interleaving in a straight- 
forward way to obtain a secure proxy bidding protocol. To our knowledge, no crypto- 
graphic protocol to securify proxy bidding has been proposed before. 
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Abstract. This paper presents a secure Generalized Vickrey Auction 
(GVA) scheme that does not require third-party servers, i.e. , the scheme 
is executed only by an auctioneer and bidders. Combinatorial auctions, 
in which multiple goods are sold simultaneously, have recently attracted 
considerable attention. The GVA can handle combinatorial auctions and 
has good theoretical characteristics such as incentive compatibility and 
Pareto efficiency. 

Secure GVA schemes have been developed to prevent frauds by an auc- 
tioneer. However, existing methods require third-party servers to execute 
the protocol. Having third-party servers that are operated by indepen- 
dent organizations is difficult in practice. Therefore, it is desirable that a 
protocol be executed by the participants themselves. However, if bidders 
take part in the execution of the auction procedure, a bidder might have 
an incentive to be an active adversary so that he manipulates the decla- 
rations of other bidders to become a winner or to decrease his payment. 
In our proposed scheme, we use a new protocol that can achieve the same 
outcome as the GVA. In this protocol, the procedure executed by a bidder 
affects neither the prices nor the allocation of the bidder. Therefore, a 
bidder does not have an incentive to be an active adversary. 

Keywords: generalized Vickrey auction, combinatorial auction, mecha- 
nism design, game-theory. 



1 Introduction 

Combinatorial auctions have recently attracted considerable attention [15, 26, 
29,39,40]. An extensive survey is presented in [9]. In contrast with conventional 
auctions that sell a single item at a time, combinatorial auctions sell multiple 
items with interdependent values simultaneously and allow the bidders to bid 
on any combination of items. 

In a combinatorial auction, a bidder can express complementary/substitutable 
preferences over multiple bids. For example, in the Federal Communications 

A. Juels (Ed.): FC 2004, LNCS 3110, pp. 132-146, 2004. 

(c) IFCA/Springer-Verlag Berlin Heidelberg 2004 




Secure Generalized Vickrey Auction without Third-party Servers 



133 



Commission (FCC) spectrum auction [20], a bidder could indicate his desire for 
licenses covering adjoining regions simultaneously (i.e. , these licenses are com- 
plementary), while being indifferent as to which particular channel was awarded 
(channels are substitutable). By supporting such complementary/substitutable 
preferences, we can increase the bidder’s utility and the revenue of the seller. 

The Generalized Vickrey Auction (GVA) [35], which is also known as the 
Vickrey-Clarke-Groves (VCG) mechanism, is a generalized version of the well- 
known Vickrey auction [36] and one instance of the Clarke-Groves mechanism 
[8, 10]. The GVA can handle combinatorial auctions and has the following good 
theoretical characteristics. 

Incentive Compatibility: For each bidder, truthfully declaring his 1 evalua- 
tion values is a dominant strategy, i.e., an optimal strategy regardless of the 
actions of other bidders. 

Pareto Efficiency: If all bidders take the dominant strategy (i.e., at the domi- 
nant strategy equilibrium), the social surplus, i.e., the sum of all participants’ 
utilities including the auctioneer, is maximized. 

Individual Rationality: No bidder suffers any loss by participating in the 
auction. 

Also, under certain assumptions, we can show that only the GVA can satisfy all 
of these properties while maximizing the expected revenue of the auctioneer [17]. 

Although the GVA has these good theoretical characteristics, even its sim- 
plest form, i.e., the Vickrey auction, is not yet widely used. As discussed in 
[25], the main difficulty in using the Vickrey auction is its vulnerability to an 
insincere auctioneer. For example, if the highest bid is $1,000 and the second 
highest bid is $500, then the payment of the winner becomes $500. However, if 
the auctioneer can somehow fabricate a dummy bid at $999, the auctioneer can 
increase his revenue to $999. 

Another difficulty is that the true evaluation value is sensitive information 
that a bidder may not want to reveal [25] . For example, if a company wins in a 
public tender, then its bidding value, i.e., its true cost, becomes public, and the 
company may have difficulty in negotiating with sub-contractors. 

The authors have developed a secure GVA scheme [34] that utilizes homo- 
morphic encryption. However, this scheme requires that each bidder declare his 
evaluation values for all m n possible allocations, where m is the number of goods 
and n is the number of bidders. This is inevitable for implementing the GVA 
in the most general case. However, for many auctions in the real world, we can 
assume the following two conditions. 

No Allocative Externality: Each bidder is only concerned with the goods 
that are allocated to him, and he is indifferent to the allocations of other 
bidders. 

Free Disposal: Goods can be discarded without any cost. 

In this case, declaring his evaluation values for m n possible allocations is grossly 
redundant, since his evaluation value is the same as long as the goods allocated 

1 We stick to personal pronoun “he” throughout this paper. 
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to him are the same. Also, he needs to declare his evaluation values only for the 
bundles in which he is interested. 

The authors have developed secure Dynamic Programming (DP) protocols 
[33,41]. In principle, by repeatedly solving winner-determination problems, we 
can obtain the results of the GVA. However, the disadvantage of these secure DP 
protocols, as well as the scheme presented in [34] , is that they require third-party 
servers. These servers must be operated by independent organizations to avoid 
collusion among the servers. In practice, collecting a large number of such servers 
is very difficult. Therefore, it is desirable that the protocol be executed without 
such third-party servers, peer-to-peer network services that do not require central 
servers are becoming popular, since such services are more robust against various 
failures and are scalable. Similarly, for combinatorial auctions, it is desirable that 
the auction be executed only by participants, i.e. , the auctioneer and bidders, 
without using third-party servers. 

However, as described in [30], executing an incentive compatible mechanism 
in peer-to-peer networks is not trivial. If bidders take part in the execution of the 
auction procedure, even if the auction protocol is incentive compatible, a bidder 
might have an incentive to be an active adversary. For example, in the GVA, a 
bidder can manipulate the evaluation values of other bidders so that he would 
be a winner or his payment would decrease. We can avoid such manipulations 
by making the procedure publicly verifiable. However, this requires additional 
communication/processing costs. 

In this paper, we develop a new auction protocol that can obtain the same 
outcome as the GVA. In this protocol, for each bidder, the price of each set of 
goods (bundle) is defined first, and then each bidder can choose a bundle that 
maximizes his utility based on these prices independently from the choices of 
bundles of other bidders. This protocol looks quite different from a standard 
GVA description, in which an allocation is determined first, then the payment 
is calculated. However, we show that our new protocol can obtain exactly the 
same outcome as the GVA. 

The advantage of this new protocol is that its procedures can be distributed 
among bidders without giving them an incentive to be an active adversary. More 
specifically, in this protocol, the prices and allocation of bidder j is determined 
independently from the prices of bidder i. Therefore, if bidder j participates in 
the procedure for calculating the prices of bidder i, bidder j does not have an 
incentive to be an active adversary who manipulates the prices of bidder i. 

For example, in the most simplest form of this protocol, in which a single 
unit of a single good is auctioned, the price of bidder i for the good is defined 
as the maximal evaluation value among all bidders other than i. Clearly, this 
protocol is identical to the Vickrey auction protocol. The task of calculating the 
price of bidder i can be distributed among other bidders, since even if bidder j 
manipulates bidder ?’’s price (to increase the price), this manipulation does not 
affect the price of bidder j. Therefore, bidder j does not have an incentive to be 
an active adversary who manipulates the price of bidder i. 
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The rest of this paper is organized as follows. First, we give the standard 
description of the GVA in Section 2. Next, we describe our newly developed 
protocol that can obtain the same outcome as the GVA in Section 3. Then, 
we explain the details of the proposed secure GVA scheme in Section 4. Next, 
in Section 5, we describe the method for calculating the prices required in this 
protocol using dynamic programming (DP) [3]. Finally, we discuss the related 
works and remaining issues, including collusion among bidders, in Section 6. 

2 Preliminaries: GVA 

This section gives the standard description of the GVA. First, we define several 
terms and notations. 

— N = {1, 2, ... , n}: a set of bidders 

— M = { 1,2,..., m}: a set of goods 

— u(i,B ): the evaluation value of bidder i for bundle B C M 

— We assume free-disposal, i.e. , for all B C B' , u(i,B) < u(i,B') holds. 

— We assume quasi-linear utility, i.e., if bidder i obtains B by paying pi, his 
utility is given by u(i,B) — pi. 

9 — (c/(l), c/(2), . . . , g{n)): a feasible allocation g for a set of goods M, where 
g{i) represents the bundle allocated to bidder i, and the following two con- 
ditions hold: U 9{i ) C M, and for all i ^ j, g(i) D g(j) = 0 

— G(M): a set of all feasible allocations of goods M. 

In the GVA, for each bundle B , bidder i declares his evaluation value v(i,B). 
Note that the declared evaluation value is not necessarily the same as the true 
evaluation value u(i, B). The protocol selects a Pareto efficient allocation based 
on the declared evaluation values. More specifically, we choose an allocation 
g* = (<7*(1), <7*(2), . . . ,g*(n)) € G(M) that maximizes the social surplus, i.e., 
the sum of evaluation values of all bidders. This means for any allocation g = 
(g(l),g(2), . . . ,g(n)) € G(M), the following condition holds. 

> X^v(j,g(j)). 

j 3 

There might be multiple allocations that are Pareto efficient. In such a case, the 
GVA arbitrary selects one Pareto efficient allocation g* . 

Next, the payment of bidder i is determined as follows. Let us assume g*^ = 
G G(M) is an allocation that maximizes the social 
surplus except for i. Formally, it is defined as follows: for any allocation g = 
(g(l),g(2), . . . ,g(n)) € G(M), the following formula holds. 

J2 v U,gli(j)) > ^2 v {j,g(j))- 

The payment of bidder i, i.e., pi, is defined as follows. 

Pi = ^2 v {j,gU{j)) -^v(J>g*U))- 

3^i J^i 
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An intuitive explanation of this formula is as follows. The first term of this 
formula is the optimal social surplus except for i if bidder i would not have 
participated in the auction. The second term is the obtained social surplus except 
for i when bidder i does participate. Thus, pi represents the decreased amount of 
the social surplus caused by the participation of bidder i, i.e., bidder i is required 
to compensate this decreased amount of utilities. 

In the GVA, for each bidder i, declaring the true evaluation values, i.e., 
declaring v(i, •) = u(i , •), is a dominant strategy, i.e., a best strategy to maxi- 
mize his utility regardless of the actions of other bidders. This property is called 
incentive compatibility. The reason that the GVA is incentive compatible is ex- 
plained as follows. Since the utility of i is quasi-linear, it can be represented as 
follows. 

u(i,g*{i))~Pi = u(i,g*(i)) - (^v(j,gZi(j)) ~ ^2 v{j,g*{j))] (1) 

= Mi,9*(i))+'%2 v U,9*(j))} ~Yl v (J,9~iU)) ( 2 ) 

The third term of formula (2) is determined independently from bidder V s dec- 
larations. Therefore, bidder i can maximize his utility by maximizing the sum 
of the first and second terms of formula (2). On the other hand, g* is selected 
by maximizing 9*(j)) = v{i,g*(j)) + J2j^i v U^9*(j))- This means bid- 

der i can maximize his utility by declaring v(i, •) = u(i, •), i.e., by declaring true 
evaluation values. 

Let us describe how the GVA works. Assume there are two goods 1 and 2 
and three bidders 1, 2, and 3. The evaluation value for a bundle u(i,B) is given 
as follows. 



{1} 

bidder 1 6 

bidder 2 0 

bidder 3 0 



{ 2 } { 1 , 2 } 
0 6 

0 8 

5 5 



In a Pareto efficient allocation, good 1 is allocated to bidder 1 and good 2 is 
allocated to bidder 3. The payment of bidder 1 is calculated as follows. Without 
considering bidder 1, the best allocation is to allocate both goods to bidder 2, 
and the social surplus except for bidder 1 is 8. When considering bidder 1, the 
social surplus except for bidder 1 at the Pareto efficient allocation is 5. Therefore, 
the payment of bidder 1, i.e., pi, is given as 8 — 5 = 3. Similarly, the payment of 
bidder 3 is given as 8 — 6 = 2. 

3 New GVA- Equivalent Protocol 

In this section, we develop a new protocol that can achieve the same outcome as 
the GVA. In this protocol, as in the standard GVA, for each bundle B, bidder i 
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declares his evaluation value v(i,B). Note that the declared evaluation value is 
not necessarily the same as the true evaluation value u(i, B). 

To simplify the protocol description, we introduce the following notation. For 
a set of goods B C M and a set of bidders X, we define V*(B,X) as the sum 
of the evaluation values of X when B is allocated optimally among X. To be 
precise, let us represent the set of all feasible allocations of a set of goods B as 
G(B), where for each g = (g(l),g(2), . . . ,g(n)) € G(B ), \J ieX g(i) C B and for 
all i ^ j, g(i) n g(j) = 0 holds. V*(B, X) is defined as follows. 

V*{B, X) = max ^ v(j, g(j)). 

9e jex 

In this protocol, instead of determining the allocation first, we first determine 
the price of each bundle B for each bidder i. The price of bundle B for bidder i 
is defined as follows. 



Pi,B = V*(M, N \ {z}) - V*(M \B,N\ {*}). (3) 



Next, each bidder i chooses a bundle that maximizes his utility based on the 
prices, i.e., he chooses B*, where B* = argmaxscAf u(i, B) — Pi t B- Note that 
each bidder can choose a bundle that maximizes his utility independently from 
the choices of other bidders. To be more precise, if there exist multiple bundles 
that maximize his utility, then the protocol performs some adjustment so that 
the choices are consistent, but each bidder is still guaranteed to obtain one 
bundle that maximizes his utility. 

It is obvious that this new protocol satisfies incentive compatibility. For bid- 
der i, his prices are determined independently from his declaration. Also, he can 
choose the optimal bundle regardless of the choices of other bidders. Therefore, 
bidder i has no incentive to manipulate the prices of other bidders (which are 
dependent on his declaration) . Since this protocol satisfies incentive compatibil- 
ity, in the rest of this paper, we assume each bidder declares his true evaluation 
values u(i,B). Thus, V*(B,X) can be represented as follows. 



max 

96 G(B) 



jex 



This protocol is identical to the GVA, i.e., the following theorems hold. 

Theorem 1. A bundle B maximizes bidder i’s utility if and only if for some 
g* , g*{i) = B holds. 

Theorem 2. If B maximizes bidder i’s utility, then pi = Pi,B holds. 



In proving these theorems, we use the characteristics described below. From 
the definition, the following formula holds. 



jAi 
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Furthermore, for g* = (g*(l),g*(2), . . . ,g*(n)), the following formula holds. 

E u ^9*U)) = V*(M \ g*(i), N \ {*}). 

The proof of Theorem 1 is as follows. First, we show if for some g*, g*(i) = B, 
then B maximizes bidder V s utility. More specifically, we derive a contradiction 
by assuming for some g*, g*{i ) = B but bundle B does not maximize bidder 
i’s utility. In this case, there exists another bundle B' and u(i, B') — Pi t B' > 
u(i , B) — pi t B holds. 



Pi,B' = V*(M, N \ {z}) - V*(M \B',N\ {*}). 

Pi,B = V*(M, N\{i})~ V*(M \B,N\ {*}). 

Therefore, the following formula holds. 

u(i, B') + V* (M \B\N\ {*}) > u(i, B) + V*(M \B,N\ {*}). 
However, the right side of this equation can be transformed as follows. 
u(i, B) + V* (M \B,N\ {*}) = u(i, g*(i )) + V*(M \g*(i),N\ {*}) 

= u{i,g*{i)) +Y^u(j,g*{j)) 

= ^Zu{j,g*{j)). 

3 

The right side of this equation represents the social surplus at Pareto efficient 
allocation g* . On the other hand, the left side is the social surplus when allo- 
cating B' to bidder i and allocating other goods optimally among bidders other 
than i. This contradicts the assumption that g* is Pareto efficient. 

Next, we prove that if a bundle B maximizes bidder i’s utility, then for some 
g*, g*(i ) = B holds. More specifically, we derive a contradiction by assuming a 
bundle B maximizes bidder i’s utility but for any g* , g*(i) ^ B. 

In this case, there exists bundle B\ where B' ^ B, B' = g*(i ), and u(i. B) — 
Pi,B > u(i,B') — Pi,B' hold. Therefore, the following formula holds. 

u(i, B) + V*{M \B,N\ {i}) > u(i, B') + V*{M \B',N\ {i}). 

However, the right side of this formula represents the social surplus at Pareto 
efficient allocation g*, while the left side is the social surplus when allocating B 
to bidder i and allocating other goods optimally among bidders except i. This 
contradicts the assumption that g* is Pareto efficient. □ 

Next, we prove Theorem 2. From Theorem 1, when B maximizes bidder i’s 
utility, then for some g*, g*(i) = B holds. 

Pi = X}u(j,gHi(j)) ~^2 u (j,g*(j)) 

= V*(M, N \ {*}) -V*(M\ N \ «) 

= Pi,B ■ 
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From the above, Theorem 2 is obtained. □ 

If there exist multiple Pareto efficient allocations, then multiple bundles can 
simultaneously maximize the bidder’s utility. In this case, the protocol needs to 
adjust allocations so that the choices of bidders are consistent, i.e., no good is 
allocated to different bidders simultaneously. However, Theorem 1 states that 
any bundle B that is allocated to bidder i in a Pareto efficient allocation would 
maximize bidder V s utility. Therefore, by choosing any Pareto efficient allocation, 
we can find a way to adjust choices so that the choices of bidders are consistent 
and each bidder is guaranteed to obtain one of the optimal bundles. 

Let us describe how this protocol works. In the identical setting of the pre- 
vious example, the price of each bundle is calculated as follows. 



{ 1 } 

bidder 1 3 

bidder 2 6 

bidder 3 8 



{ 2 } { 1 , 2 } 
8 8 

5 11 

2 8 



For example, when determining the prices for bidder 1, V*(M,N \ {1}) is the 
optimal social surplus without considering bidder 1. This is equal to 8. When 
B = {1}, V*(M\B,N\{ 1}) = P*({2}, {2, 3}) means the sum of the evaluation 
values when good 2 is allocated optimally among bidders 2 and 3. The optimal 
allocation is allocating good 2 to bidder 3. Thus, V*({2}, {2,3}) = 5. Therefore, 
Pi,{i} =8-5 = 3. When B = {2}, V*{M \B,N\ {1}) = V*({1}, {2, 3}) is 
equal to 0, since neither bidder 2 nor 3 wants good 1 alone. Therefore, Pi, { 2 } = 
8-0 = 8 . 

Given these prices, bidder 1 obtains good 1 at price 3, and bidder 3 obtains 
good 2 at price 2. 

4 Secure GVA 

In this section, we show how the new protocol presented in the previous section 
can be executed without third-party servers. 

4.1 Economic Model of Bidders 

We assume a bidder is rational, i.e., he tries to maximize his own utility. Fur- 
thermore, we make the following assumptions. 

1. If a bidder has no incentive for acting dishonestly, i.e., his utility does not 
strictly increase by telling a lie or deviating from the protocol, then he will 
act honestly. 

2. There is no way to enforce side-payments among bidders. 

3. For each bidder, computation/communication costs for executing the proto- 
col are negligible. 




140 



Makoto Yokoo and Koutarou Suzuki 



The first assumption is called e-truthfulness [24]. Although this assumption 
might sound rather strong, it is natural if we assume the moral consciousness 
of a bidder provides a very slight preference toward acting honestly rather than 
acting dishonestly for nothing. 

From the first and second assumptions, a bidder i cannot persuade another 
bidder j to do some action, unless doing so is profitable for bidder j. Therefore, 
a collusion of bidders is possible only when each participant in the collusion has 
strictly positive gain. 

Also, from the first and third assumptions, a bidder will not neglect to execute 
the protocol simply due to laziness. 

4.2 Proposed Scheme 

The outline of the proposed scheme is as follows. Bidders N execute the following 
procedures, n — 1 bidders other than bidder i are assigned to calculate the prices 
for bidder i. We call these bidders N \{i} as price-calculators for bidder i. 

1. Price-calculators N \ {i} for bidder i perform a multi-party computation 
protocol [4] that is secure against passive adversary , to compute 

{(i, B,pi'B)\B C M} from secret input u(j, B) of bidder j £ N\ {?'}. 

Then, the result {{i, B ,pi^s)\B C M} is published. 

2. After the results {(«, B,pi^)\B C M} for all i are published, the result of 
the auction is calculated as follows. 

Bidder i finds all bundles B* that maximize his utility and publishes them. If 
there is conflict between these allocation, bidders adjusts bundle allocations 
so that they do not conflict with each other. As described in Section 3, we 
can always find consistent bundle allocations. 

Finally, the allocation {B*\i G N} of goods and prices {pi,B*\i £ -/V} are 
announced. 

For this protocol, the following theorem holds. 

Theorem 3. If a bidder satisfies the above economic properties, this bidder ex- 
ecutes the protocol honestly. 

The proof of Theorem 3 is as follows. In Step 1, if bidder j is a price-calculator 
for bidder i, the prices and the allocation of bidder i do not affect the prices or 
the allocation of bidder j, i.e., bidder j can obtain the optimal bundle regardless 
of the allocation of bidder i. Therefore, bidder j has no incentive to increase the 
prices of bidder i. 

Also, since we assume there is no way to enforce side-payments among bid- 
ders, bidder j does not have an incentive to decrease the prices of bidder i. 
Furthermore, since we assume computation/communication costs for executing 
the protocol are negligible, bidder j does not have an incentive to neglect exe- 
cuting the protocol simply due to laziness. 

Therefore, bidder j does not have an incentive to be an active adversary when 
calculating the price of bidder i. From above, bidder j will execute the protocol 
honestly, since he has no incentive to act dishonestly. 
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In Step 2, bidder i can maximize his utility by publishing all bundles B* that 
maximize his utility. Therefore, bidder i does not have an incentive to manipu- 
late the results. Although bidders adjust bundle allocations so that they do not 
conflict with each other, their utilities are the same for all possible combinations. 
Therefore, bidders do not have an incentive to manipulate the results. □ 

From Theorem 3, the following theorem holds. 

Theorem 4. If all bidders satisfy the above economic properties, the proposed 
protocol can unconditionally securely compute prices {(i, € N, B C M} 

and auction result {B*\i e N} against t <(n — l)/2 adversaries. 

The proof of Theorem 4 is as follows. By Theorem 3, price-calculators N \ {i} 
for bidder i follow the protocol, so we can assume that adversaries are passive. 

In step 1, since there are at most t < (n — l)/2 passive adversaries in n — 1 
price-calculators N\{i} for bidder i, a multi-party computation protocol [4] can 
unconditionally securely compute prices {{i, B ,pi^)\B C M}. 

In step 2, bidders honestly calculate the auction result from published prices 
{(*, B,p itB )\i e N, B C M}. □ 

In the protocol, price is published. However, pi t s is obtained by aggre- 
gating many evaluation values of bidders. Therefore, it is difficult to precisely 
estimate each evaluation value from this information. 



5 Efficient Price Calculation 
Using Dynamic Programming 

In the previous section, we assume price-calculators calculate pt t s by directly 
applying formula (3). However, to calculate each of the first and second terms 
of formula (3), we need to solve a combinatorial optimization problem that is 
NP-complete [26]. Although the first term is common for all B , the second term 
must be calculated for each B. Note that we need to calculate p t ,n for all bidders 
i € N and for all bundles B C M. 

In this section, we describe an alternative method for calculating prices that is 
much more efficient than calculating pi^B directly using formula (3). This method 
utilizes dynamic programming (DP) [3] to incrementally calculate V*(B, N\{i}) 
for all B C M. 

We assume each bidder j (except i) is declaring his evaluation value u(j, B ) 
for each bundle B in which he is interested. If bidder j has substitutable evalu- 
ation values, e.g., bidder j wants B i or B 2 but not both at the same time, we 
introduce a dummy good d. More specifically, we assume bidder j is interested 
in both B\ U {d} and B 2 U {d}. By introducing the dummy good, we can avoid 
allocating both B\ and B 2 to bidder j at the same time. This must be done 
whenever u(j, B 1) + u(j, B 2 ) > u(j , B\ U B 2 ) holds. 

Then, we create a node ( B , |B|) for each bundle B C M. \B\ is the number 
of goods included in B. Also, we create the following directed, weighted links for 
each bundle B in which bidder j is interested. 
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- a link from node ( B , |_B|) to terminal node ({}, 0), 

where its weight w((B, |_B|), ({}, 0)) is u(j,B) 

- for each B', B" C M, where B" C B' , B' \ B" = B, and \B"\ > \B'\/2, 

a link from node (B ' , \B'\) to node (B" , \B "\ ), 

where its weight w((B ’ , |£>'|), (S", IB"!)) is u(j , B) 

If there exists a bundle B in which nobody is interested, then we assume a 
dummy bidder jd is interested in B , where evaluation value u(jd, B) = 0. Also, 
if there exists a bundle B in which multiple bidders are interested, multiple links 
must be created between (B 1 , \B'\) and (B" , |B"|). To avoid making the notation 
too verbose, in presenting the DP procedure, we assume there exists only one 
link between each pair of nodes. 

We show an example of nodes and links, where M = {1, 2, 3}, in Figure 1. A 
circle is a node and the description within a circle represents B, \B\, where B is 
a bundle. 

In this graph, the length of the longest path from node ( B , |B|) to terminal 
node ({},0) represents the sum of the evaluation values when allocating goods 
B optimally to bidders other than i, i.e., V*(B,N\ {*}). 

Let us represent the length of the longest path from ( B , \B\) as /((I?, |.B|)). 
Then, f((B , |£>|)) can be calculated by the following recurrence formula. 

- /(({},o)) = o 

- MB, |B|)) = max ((Bi | B|)i(B ,,| B , |)) [«;((B, \B\), (S', \B'\)) + f{{B ', |B'|))]. 

By using this formula, we can obtain /((B, |B|)) by starting from a node that has 
a smaller \B\. The price of bidder i for bundle B , i.e., p.-, b, is given as V*(M, N\ 
{i})-V*(M\B,N\{i}). Therefore, p i>B = /((M, |M|)) - f((M\B, \M\ B\)). 

We can use any MPC protocol to calculate the above formula to prevent 
leaking w((B , |i?|), (B ' , |I3 / |)), which represents the evaluation value of a bidder. 
Besides using a general-purpose MPC protocol, we can use the specialized meth- 
ods presented in [33,41]. Note that we don’t need to construct a graph for each 
B C M. Instead, we construct one graph for all B C M and calculate f((B, |B|)) 
for all B in a single run of the DP procedure. 

In using the DP procedure, we need to create a graph that consists of 2 m 
nodes to calculate the prices. If the number of goods m becomes large but the 
number of bundles in which each bidder is interested is relatively small, the graph 
contains exponentially many nodes, while most of the links are dummy links with 
zero weights. We are currently developing an efficient method for handling such 
graphs. One important special case of general combinatorial auctions is multi- 
unit auctions, in which multiple identical units of a good is auctioned. In this 
case, as described in [33], the DP procedure requires only 0(n x to) nodes instead 
of 2 m nodes. 

The advantage of using the DP method over calculating formula (3) for each 
bundle is clear, since we don’t need to solve a combinatorial optimization problem 
for each B. On the other hand, in the DP method, for each B , f((B , |i?|)) 
are published. However, f((B , [£?[)) is obtained by aggregating many evaluation 
values of bidders. Therefore, it is difficult to precisely estimate each evaluation 
value from this information. 
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Fig. 1 . Example of graph for Dynamic Programming 



In the proposed scheme, each bidder declares his evaluation values only for 
the bundles in which he is interested. On the other hand, in the scheme described 
in [34], each bidder needs to declare his preference over m n possible allocations, 
where n is the number of bidders and m is the number of goods. When the 
number of bidders n becomes large, the number of possible allocations becomes 
very large. 

6 Discussions 

Many works have been carried out for secure sealed-bid auctions[l, 2, 5-7, 11-14, 
16,18,19,21-23,27,28,31,33,32,37,41]. In all of these schemes, however, the 
GVA has not been treated with the notable exceptions of [21] and [34]. Naor, 
Pinkas and Sumner [21] proposed a general method for executing any auction, 
including combinatorial auctions, based on a technique called the garbled circuit 
[38] . This method does not require interactive communications among multiple 
evaluators. However, designing a combinatorial circuit to implement the GVA as 
a whole is still an open problem, and the obtained circuit can be prohibitively 
large. 

Suzuki and Yokoo [34] proposed a secure GVA protocol. However, as dis- 
cussed in Section 1, this scheme requires that each bidder declare his evaluation 
values for all m n possible allocations. Also, this scheme requires third-party 
servers. 

By repeatedly applying the secure dynamic programming scheme [33,41], 
we can determine the winner and payments of the GVA. However, if a bidder 
participates in the traditional procedure of the GVA, the bidder might have an 
incentive to be an active adversary. 

When bidders take part in the auction procedure, an auctioneer might be 
concerned about collusion among bidders. Actually, the GVA protocol is vulner- 
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able against collusions even if the auctioneer executes the auction procedure. For 
example, in the simplest form of the GVA, i.e., the Vickrey auction, bidder i, who 
has the highest evaluation value, can bribe the second highest bidder j to reduce 
j’s declaration so that i’s payment becomes smaller. One method to reduce the 
effect of collusion is to set reservation/minimum prices for each good. In our 
proposed scheme, this is possible if the auctioneer participates in the auction as 
a bidder. The auctioneer declares the price of each good, i.e., he is not willing 
to sell the good at less than that price. 

7 Conclusions 

In this paper, we developed a secure GVA scheme in which the GVA can be 
executed without using third-party servers, i.e., the scheme can be executed 
only by the auctioneer and bidders. We first developed a new auction protocol 
that can achieve the same outcome as the GVA. In this protocol, for each bidder, 
the price of each bundle is calculated first, and then each bidder can choose a 
bundle that maximizes his utility based on these prices independently from the 
choices of bundles of other bidders. In this protocol, the prices and allocation 
of bidder j are determined independently from the prices of bidder i. Therefore, 
if bidder j participates in the procedure for calculating the prices of bidder i, 
bidder j does not have an incentive to be an active adversary who manipulates 
the prices of bidder i. 
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Abstract. We describe the design and implementation of secure and 
robust protocol and system for a national electronic lottery. Electronic 
lotteries at a national level are a viable cost effective alternative to me- 
chanical ones when there is a business need to support many types of 
“games of chance” and to allow increased drawing frequency. Electronic 
lotteries are, in fact, extremely high risk financial application: If one dis- 
covers a way to predict or otherwise claim the winning numbers (even 
once) the result is huge financial damages. Moreover, the e-lottery process 
is complex, which increases the possibility of fraud or costly accidental 
failures. In addition, a national lottery must adhere to auditability and 
(regulatory) fairness requirements regarding its drawings. Our mecha- 
nism, which we believe is the first one of its kind to be described in 
the literature, builds upon a number of cryptographic primitives that 
ensure the unpredictability of the winning numbers, the prevention of 
their premature leakages and prevention of fraud. We also provide mea- 
sures for auditability, fairness, and trustworthiness of the process. Besides 
cryptography, we incorporate security mechanisms that eliminate vari- 
ous risks along the entire process. Our system which was commissioned 
by a national organization, was implemented in the field and has been 
operational and active for a while, now. 



1 Introduction 

Generating numbers for the support of lotteries is a utility that needs to pro- 
duce unpredictable numbers with additional protection (e.g., against premature 
disclosure) and a secure system supporting various sorts of fraud prevention 
mechanisms throughout the entire lottery process. A huge amount of money is 
at stake for the lottery operator in case of malicious intervention in the number 

A. Juels (Ed.): FC 2004, LNCS 3110, pp. 147-163, 2004. 
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drawing mechanism or anywhere else in the system (e.g., introducing a win- 
ning coupon “after the fact”). Thus, what we need is assurances of robustness 
that will make sure the desired unpredictability properties while facing a new 
set of attacks perhaps by insiders or other parties with access to various partial 
relevant data. In the real world, achieving these aims can be traditionally accom- 
plished with mechanical lotteries performed live on TV with a certified auditor 
present. However, due to recent business needs, the use of such lotteries is not 
suitable. For instance, there may be a requirement for very frequent drawings 
(every 5 minutes in KENO-like games) or drawings that should be accomplished 
within a very short time interval. In such cases the use of electronic lotteries is 
inevitable. Also, dynamically games may change as new games are introduced 
and the cost of new mechanical device for each game is quite large, whereas an 
electronic device producing random bits is much more easily adapted to new 
games, merely by re-interpretation of the random stream of bits. Regarding the 
consumer side, auditability is required and acceptable assurances are required 
to make sure that the lottery result is fair. Assuring that the process is indeed 
a “game of chance” may also be required by regulation. This is in contrast with 
“Internet casino sites” that rather than playing a fair game (with some agreed 
upon bias, perhaps), might secretly study specific user behavior and tune their 
games accordingly, to maximize profit. 

Related Work 

A number of designs that seem to lack scalability (which is a must in a national 
lottery game) are available in the literature. In [9], a lottery protocol is presented 
that allows the support of e-casinos with secure remote gambling. An interesting 
feature of the protocol is that the initial randomness (seeds) is chosen through 
the collaboration of two or more players in such a way that the final choice is 
essentially random to all of them. The protocol also includes various auditing 
functions that build trustworthiness between the casino owner and the players. 
However, the need for collaboration of players and the overhead in the required 
protocol steps make it rather unsuitable for large scale electronic lotteries with 
a large expected player participation and a requirement for fast operation. The 
paper also present some interesting practical issues pertaining to the design and 
operation of remote electronic lotteries. In [6] , another electronic lottery proto- 
col is proposed based on the concept of delaying functions. A delaying function 
is a function that cannot be computed in time less than a predetermined time 
limit. Although these functions ensure fairness and public verifiability of the 
whole process, the time required for the verification is as long as the time to 
compute the function and this can be unacceptably low in applications where 
the drawings are frequent. Also, the status of the best time to compute a func- 
tion may change as our knowledge changes (due to lack of solid lower bounds 
in complexity theory), thus the delay may not be robust enough over time (one 
can, of course, always adjust the parameters to handle algorithmic advances but 
it requires awareness of the advances on the designers’ side). In addition, the 
protocol puts an upper bound on the number of lottery coupons one can buy 
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which is unacceptable in a scalable nation-wide design. In [24], a protocol based 
on a bit-commitment scheme where a secret (the winning numbers) is committed 
to and can be read by the lottery players only after a predetermined amount of 
time. This still can be unacceptable in applications that require frequent draw- 
ings and unsuitable for large scale lotteries. In [22], a protocol for Internet based 
lotteries is presented. It generates the winning numbers using the played coupons 
with cryptographic primitives such as hash functions. This protocol is actually 
incorporated in a tool that supports user-initiated drawings and verification of 
the generation process. However, this cannot be used in large-scale lotteries with 
many participating users where each user is part of the auditing function. In [13] 
a protocol is presented that involves a bit-commitment scheme on the part of 
the electronic lottery so that the chosen seed cannot later be changed. It allows 
users to participate in the drawing of numbers indirectly by incorporating their 
numbers in the chosen seed. A scalability issue with this protocol is that it re- 
quires some computation steps that need to be performed by the players so that 
they can decide whether they win or not. 

In [26] , another protocol is presented whose main features are the preservation 
of the anonymity of the players and the existence of a mechanism for paying 
the winners. However, this protocol still requires the users to participate in 
the identification of the winners and, also, adds the complication of payments 
that usually is not an issue since the winners can claim their prizes later at 
the lottery organization or some designated bank out of band. In essence this 
protocol is about the front end user handling over the Internet, whereas we 
concentrate on the back end support (that can be augmented to include a front 
end over the Internet). The protocol presented in [12] uses as primitives a bit- 
commitment scheme and a hash function and it is suitable for a large-scale 
Internet operation (but it is essentially a protocol for Internet betting rather than 
lottery). It attempts to minimize the transactions between involved parties for 
security and efficiency reasons. The protocol mainly addresses Internet security 
and it focuses on resolution of conflicts among parties as well as prevention of 
collaboration among them towards forgery. Thus, it does not focus on the crux 
of the system, namely on the number generation process. 

Finally, practical ideas and techniques on the frequently neglected but highly 
critical issue of generating and managing securely the “true” randomness neces- 
sary for various components of cryptographic applications can be found in [10] 
and the references contained therein, as well as Chapter 10 of the book of Fer- 
guson and Schneier [7]. 



Our Design 

The protocol we describe in this paper has been implemented in a real nationwide 
electronic lottery environment that requires frequent drawings per day with strict 
drawing times. Thus, the large number of expected players and the hard timing 
constraints essentially preclude the explicit participation of users in the number 
generation and winner identification processes. Our design is scalable, since it is 
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a nationwide application that is alive. In contrast with all previous approaches, 
to build up people’s trust in the electronic lottery we have done the following: 

1. We focused on the core number generation process and our protocol incorpo- 
rates several interacting cryptographic primitives that ensure the credibility 
of the process. Each element of the generation combines various independent 
technologies concurrently to assure cryptographic robustness. 

2. We provided protection against various manipulations of the process assur- 
ing the necessary security level, so as to avoid a huge financial loss for the 
lottery organization if one manages to interfere with or prematurely learn 
the process. We used bit commitments, signatures and encryptions to protect 
various pieces of information and bind the results to the bidding data. We 
protected the process against premature or future manipulation by binding 
it to the system’s state via a process we call state stamping. 

3. We designed extensive real-time auditing facilities. We made sure that some 
independent processes will monitor/ audit other critical components as much 
as possible, so that actions can be verified after the fact due to logging, 
signing, etc. 

4. We took into account performance (time constraint) requirements. 

5. We incorporated security mechanisms (since cryptography alone is never a 
complete security solution) . We isolated parts of the network and employed 
network security tools, and designed for independent actions and logs to take 
place. We also took care of physical and operational security. 

6. In addition, since delays or cancellations of the drawings may damage the 
reputation of the lottery organization, there is a provision for replication 
(fault tolerance) at all system levels (hardware and software) in order to 
increase reliability and achieve lrigh-availability. 

7. We assured modularity, enabling the protocol to be suitable plug-in com- 
ponent in, e.g., as part of an Internet lotteries that also take care of many 
interacting parties such as banks, lottery organization, coupon sellers, etc. 

In what follows, we will describe the protocol by describing its basic primitives 
and the way they interact with each other. In Section 2 we motivate and discuss 
the requirements posed by an electronic lottery design. In Section 3 we provide 
a design proposal to meet the set requirements. In Section 4 we provide a high- 
level functional description of the components and the drawing protocol used by 
the electronic lottery. In Section 5 we provide the details of the implementation 
of each of the components. Finally, in Section 6 we summarize the main feature 
of the electronic lottery protocol and discuss possible practical improvements 
and extensions of a real implementation of the protocol. 

We believe that this work will serve as a starting point for triggering thoughts 
and proposals on how application-driven protocols for the production of random 
numbers should be designed, in terms of security, robustness and efficiency, for 
use in other electronic lottery settings and similar scenarios “where true pseu- 
dorandomness counts.” 
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2 Operational Environment and Requirements 

2.1 The Environment 

The operational context in which the electronic lottery operates is the following 
(see Figure 1). The players submit their coupons (on which they mark their 
number choices) at one of 6000 lottery agencies. Then the agencies send (via 
telephone lines) the coupon data to the central computer of the lottery organi- 
zation where the support software stores them in a special coupon file. Exactly 5 
minutes before the predetermined time of the next the drawing, no more coupons 
are permitted in the system and the bidding stops. Note that in the future the 
agencies and phone lines can be augmented with Internet servers that collect 
coupons from individual Internet users in another lottery distribution channel 
(the rest of our mechanism constituting the back-end and result publication 
component stay as is). 

At this stage, the electronic lottery is initiated by the central computer and 
produces the numbers at the exact time of the drawing, sending them over to the 
TV channel as well as to the central computer. Every element in the system has 
an independent backup and many channels are replicated. Various auditing and 
monitoring is performed on-line. Reliability is another issue we provide, which 
implies replication of components. 

In more details, due to high-availability and security requirements, the elec- 
tronic lottery is composed of three components: two computers, the generators, 
interconnected in a master-slave configuration so as the slave automatically takes 
over in case of failure of the master plus one computer, the verifier, that acts as an 
intermediate between these computers and the central computer. The generators 
are totally isolated from the environment and they only communicate with the 
verifier, to which they send the numbers plus other auditing information. Then 
the verifier checks the integrity of the drawing and if all checks are successful 
then the numbers can be safely transmitted to the central computer. Moreover, 
for auditing purposes, the generators send the numbers also to a printer and 
a computer monitor placed at a supervisor’s office for cross-checking and they 
store them on CD-recorder and hard disk for later verification. 

Finally we assure physical security. The electronic lottery system (i.e the two 
generators plus the verifier) is enclosed in a shielded room with biometric access 
control system which is under a 24-hour per day camera surveillance (and there 
is a plan for periodically updating the physical protection). 



2.2 Sets of Requirements for the Electronic Lottery 

The great financial risks involved in the building and operation of the electronic 
lottery necessitated a very careful consideration of all possible security aspects 
as well as environmental factors that may disturb the normal operation of the 
lottery (e.g. power and network failures). 

Generally speaking, the main “operational requirements” placed on a system 
capable of supporting any lottery can be summarized in the following: 
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1. The produced numbers should obey the uniform distribution over their in- 
tended range. 

2. It should be infeasible for anyone (either the lottery operator, the lottery 
designers or the players) to guess the next number of the lottery, given all 
the lottery history, with chances better than if the next number was to be 
chosen at random. 

3. It should be infeasible for anyone (either the lottery operator, the lottery de- 
signers or the players) to interfere with the drawing mechanism and with the 
choice of winners (even after the drawn numbers are known and published) . 
In case such an interference eventually occurs, then this fact is detectable. 

4. The drawing mechanism should be designed so as to obey a number of stan- 
dards and, in addition, there should also be a process through which it can 
be officially certified (by a lottery designated body) that these standards are 
met by the chosen mechanism. 

5. The drawing mechanism should be under constant scrutiny (by a lottery 
designated body) so as to detect and rectify possible deviations from either 
of the above requirements or potential tampering with it. 

6. The details of the operation of the drawing mechanism should be publicly 
available to people so as to ensure their trust and interest in the games. In 
addition, this ensures a publicly open lottery auditing protocol (which may 
be required by regulations). 

Ensuring these requirements is accomplished (under a reasonable physical 
model) through the use of the traditional drawing mechanism of balls that are 
shuffled by some random physical process and then chosen from within an urn, 
where this entire process is performed publicly and with auditors present and is 
pre-authorized by a state authority. This appears to achieve all requirements set 
above plus people’s satisfaction that the whole mechanism is trustworthy and 
fair to them. 

The situation changes dramatically, however, if business requirements neces- 
sitate the use of electronic means as is our case. There are many reasons why one 
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would prefer this option over the traditional drawing mechanism. For example, 
to increase players’ interest for participation in lottery games, many lottery or- 
ganizations (such as the one using the protocol we describe in this paper) desire 
to perform many drawings each day instead of the traditional end-of-tlre week 
drawing. This is done in KENO-like games where drawings may be performed 
as frequently as every 5 minutes, increasing the lottery organization’s chances 
for profits. This is because people play more frequently since they are attracted 
by the fact that if the do not win at the current draw, they may well be winners 
at the next draw in a few minutes. Another reason for not using the traditional 
drawing mechanism could be the fact that the lottery organization desires the 
introduction of a variety of games with numbers drawn in different ways (e.g. 
repetitions allowed or not, different ranges, etc.), a thing that would require 
building many drawing machines with high cost and construction time. Indeed, 
in our case, the lottery organization desired the introduction of two different 
games, one with the selection of three numbers from 0 to 9 (repetitions allowed) 
and another one with the selection of 5 numbers from 1 to 35 (repetitions not 
allowed). Also, there was a requirement for four electronic drawings per day at 
predetermined times. In addition, for publicity and publication (as well as mar- 
keting) benefits, each drawing should be sent over to a private TV channel that 
displays the numbers in real time at the lower third of the screen. The publica- 
tion method integrity is assured on-line. The numbers are also sent over to the 
computer that stores the played coupons so that the winner can be selected and 
various statistics calculated. 

Finally, a very important requirement with regard to all the entities involved, 
was the high-availability of the electronic lottery. No delay or cancellation of a 
drawing was acceptable due to failures of the electronic lottery as this would 
jeopardize the success of the new games as well as the reputation of the entities. 

From the above considerations, it is clear that traditional drawing mecha- 
nisms are costly and cumbersome, if not impossible, to use and support the 
business operational requirements. 

Taking into account the above discussion on the “security and safety require- 
ments” of the whole system, the security requirements for our application can 
be described more precisely as follows: 

1. Confidentiality: Information should be disclosed only to the intended recip- 
ients and no leaks of information occur before predetermined time points. 
Confidentiality can be achieved through encryption methods as well as secure 
random number sources that prevent estimation of their evolution. 

2. Integrity: No unauthorized changes should be made, both in stored and 
transmitted data. Integrity of data can be achieved through the use of com- 
putation of hash and MAC functions. 

3. State stamping: The lottery outcome is a function of a given state repre- 
senting all the coupons of the current drawing and the internal (randomly 
chosen) state of the lottery mechanism, some of it secret. The system should 
stamp the state using cryptographic tools so that no future modifications 
are possible without detection. 
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4. Availability: The system should be ready for operation any time it is needed 
and should not turn down authorized service requests (subject to given ser- 
vice/ performance requirements). Availability can be achieved through com- 
ponent and data path replication. 

5. Accountability: All access to, or modification of, specific information in the 
system should be detected and, possibly, traced to specific sources (this also 
include identification schemes). Non-repudiation of an action is the lack of 
capability of an actor to deny an action, and as a security property, it is 
closely related to accountability. These requirements can be achieved using 
mechanisms of electronic signing and commitment. 

In the next section we will provide the design of the electronic lottery and 
justify the design choices. 

3 Design Considerations 

In this section we will discuss the components of the solution to the drawing 
process. We explain how we met the security requirements, confidentiality, state 
stamping, integrity, availability and accountability described above. More specif- 
ically, we describe the specific electronic lottery choices we made, indicating for 
each of them the specific requirement it meets. We employed numerous cryp- 
tographic primitives and protocols at the low level of the generation making it 
robust according to the requirements. 



3.1 Randomness Sources 

One component of the confidentiality requirement concerns the use of a good 
source of random numbers. There are three approaches, other than the tradi- 
tional one, for producing sequences of numbers: (i) Using an appropriate al- 
gorithmic scheme - pseudorandom number generator, (ii) Using some physical 
process such as, for example, semi-conductor noise - truly random number gen- 
erators, and (iii) Using a combination of (i) and (ii) . There is much debate going 
on as to which is the best approach. Approach (i) has been subjected to the crit- 
icism, that an algorithm has a limited, although huge, number of possible states 
and, as it follows a well defined set of steps, it may be amenable to some clever 
educated guess attack. Although the introduction of, the so called, cryptographi- 
cally secure pseudo-random number generators can handle this criticism the fact 
remains that an algorithm is deterministic and, thus, its output can always be 
guessed in principle, given the initial state. Approach (ii) on the other hand re- 
ceives the criticism that physical processes often obey specific distribution laws 
that may enable one to limit the range of possible future evolutions of a gener- 
ator based on them. In addition, physical devices often malfunction or deviate 
from their initial statistical behavior depending on environmental factors such as 
temperature, humidity, magnetic fields etc. This may, also, enable one to easily 
interfere with the number generation process. In addition, physical randomness, 
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if not backed-up correctly (for auditing purposes), is hard to reproduce and, 
thus, check appropriately. Finally, according to approach (iii), software-based 
pseudorandomness and truly random generators are both used (as a hybrid) in 
a way that amplifies their advantages and diminishes their disadvantages. It is 
exactly this approach that, we believe, is the most beneficial for designing a sys- 
tem for the needs of a lottery and this is the approach we followed and describe 
below. We also replicate generators of both types, and combine streams of in- 
dependent generators to achieve cryptographic robustness, in case some method 
or technology fails. 

Of course, approach (iii) alone is not, by itself, sufficient to guarantee that 
the lottery system obeys all the requirements. We still have to consider the 
exclusion of many possible threats such as post-betting, malicious intervention, 
system observation, system access protection and many more. 

3.2 Seed Commitment and Reproduction of Received Numbers 

An issue that arises when a drawing is performed is whether the seeds claimed 
to have been used by the generation process were actually used. Ensuring that 
the seeds were actually used, entails the use of a bit-commitment protocol and 
is related to the integrity and accountability requirements. The commitment is 
performed by the number generator and the related information is transmitted 
to the verifier that performs the necessary checking. This commits to a verifiable 
state, yet keeps the confidentiality of the seed to prevent premature leakage. 

3.3 State Stamping: Prevention of Post-betting 

A major requirement from the random number generation protocol was to be in 
position to detect post-betting, i.e. to detect whether a coupon was inserted into 
the coupon file after the current drawing is closed. This meets the integrity and 
accountability requirements as it guards against illicit coupon file modification. 
In addition, when this especially bad situation is detected, the protocol should be 
terminated immediately and report it, essentially canceling the current drawing. 
One way to detect post-betting is to use a fingerprint (hash value) of the coupon 
file after the bidding time is over and check that it still has the same value. If 
not, an error condition is raised and a supervisor is notified. 

3.4 Seed Processing 

We used the Naor-Reingold pseudorandom function (see [20]) for processing the 
combination of the seeds that are obtained from the physical random number 
generators with the hash value of the coupons file. The NR function is initially 
seeded with a strong random key. With the use of the NR function the resulting 
processed seeds is made not directly dependent on the on-line drawn physical 
bits, an act which guards against malfunctioning of the physical randomness 
sources by “rectifying” deviations (and makes the process independent of the 
manufacturers of the physical devices). 
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Fig. 2. The architecture of the random number generation system 



3.5 Signing and Authenticating 

To boost confidentiality and accountability, each time a drawing is performed the 
seeds and the produced numbers sent over from the generation source, should 
be signed by the source (using, e.g., a public key cryptographic scheme) and 
verified by the recipient. In this way, the source of the drawing is authenticated 
and the drawing can be considered valid. 

4 A High-Level Description of the Protocol 
of the Electronic Lottery 

Before we detail each component of the protocol, it will be useful to give a high- 
level description of these components as well as their interaction as summarized 
in Figure 2. The protocol is based on two basic interacting agents: the Generator 
and the Verifier. The Generator is replicated for high-availability purposes. (Of 
course, other components can be replicated as well, but this is easy to do since 
they are mainly general purpose computers whereas the generator is a complex 
and highly secured component that we replicated.) First, the Generator and the 
Verifier execute a key-exchange protocol in order to end-up sharing a secret key to 
enable secure communication between them. They also generate a private/public 
key pair for signature purposes. At this point, the Generator starts idling and 
waits for a drawing initiation signal from the Verifier. The Verifier knows the 
times of the daily drawings since they are communicated to it by the central 
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computer. Only coarse time synchronization is needed since there is enough 
time for all time-based operations in the system, since the mechanism operates 
four times a day. The following are the steps in generation (see Figure 2): 

1. Upon initiation, the Generator first draws a sequence of truly random bits 
as seeds from a set of physical random numbers sources (reseeding occurs at 
sufficiently frequent time intervals). 

2. Then the Generator executes a bit-commitment protocol on the seed bit 
sequence and signs it. The packet that results from these actions is sent over 
to the Verifier. As a result the seeds are committed to and the commitment 
is signed. 

3. The Verifier, in turn, gives the Generator the hash of the file of coupons. 

4. Next, the Generator mixes the random bits produced by the physical random 
number generators with the hash value of the file containing all the coupons 
played up to the allowed time (contained in the coupon file) in order to 
inextricably bind together the seed with the coupon file. This mixing can 
be effected by simply concatenating the random bits with the hash value 
given by the Verifier, essentially “freezing” the coupon file (this is the state 
stamping for post-betting prevention). Since the randomness is committed 
to and signed (and verified) and the coupon file hash is a commitment to 
the file, this is a state stamping which is present and logged at the Verifier. 

5. The first portion of the initially produced (i.e. bits from the physical random- 
ness s ources with concatenated hash value of the coupon file) bit-sequence 
is then fed through the Naor-Reingold (pseudorandom) function as a post- 
processing precaution to further decouple any direct biases of the random 
sources (provided by external manufacturers) from totally influencing the 
randomness (based on separation of duties principle). The result is inter- 
preted as a bit stream. 

6. The bit stream result of the previous stage is XORecl with a second por- 
tion of the initially produced bit-sequence (to mix a physical stream and 
a pseudorandom stream for cryptographic robustness). Then, this final bit 
sequence is used as the seed to a set of software based pseudorandom gener- 
ators, in order to stretch the seed and assure that enough random numbers 
are generated. In our protocol we are currently using algebraic as well as 
block cipher based generators. We employed the algebraic pseudorandom 
number generators RSA and BBS (which have a proof of security in the lit- 
erature) and two generators based on the block ciphers DES and AES. These 
generators can operate alone or in various output combinations. Although 
we have used the specific generators (as they are widely known or accepted 
within the cryptographic community) any number or type of secure software 
random number generators could be used instead. Note that basing our final 
generation on variety of functions adds to cryptographic robustness. 

7. Then the Generator executes a bit de-commitment (opens the initial phys- 
ical random seed bits). The seed and the numbers are encrypted and their 
encrypted form is signed. The packet that results from these actions is sent 
over to the Verifier and the Generator stops. 
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8. The Verifier first authenticates the packet (using the public key of the Gen- 
erator), decrypts the received packet and recovers the numbers plus the seed 
presumably used by the Generator to produce these numbers. 

9. Then, the Verifier checks that the Generator has committed to the sent seed. 

10. Then, the Verifier checks that the seed was used properly by repeating the 
same generation process used by the Generator and interpreting the outcome 
in the range of numbers to announce. 

11. If the produced numbers match the numbers sent by the Generator then the 
drawing is considered successful and the drawing is completed by announce- 
ments of the winning numbers. This check against the commitment and the 
hash of the file of coupons verifies that no interference occurred in the draw- 
ing process in the Generator. If the numbers do not match the numbers sent, 
then an alarm is raised, the drawing is canceled and the Verifier initiates it 
again (or some other action is taken to assure integrity and continuity). In 
this way the Verifier acts as an auditor of the entire drawing process. 

12. If the system fails the Verifier activates the second Generator, that repeats 
the process of the first one. 

Finally, we also included a provision for on-line statistical testing that es- 
timate the entropy of sources and long sequences of (i) the produced random 
numbers, and (ii) the hardware random number generators. Algorithms imple- 
mented in software need only be checked once, at the system installation phase 
(assuming the entire system is not being changed since no one gets access to it). 
However, given the fact that physical random number generators are vulnerable 
to environmental conditions or even subject to aging and physical malfunctions, 
one can never be certain that they are operating properly once installed on a 
computer. A very informative discussion on testing (on-line as well as off-line) 
physical random number generators can be found in [23] where a number of tests 
are prescribed for such generators able to meet their special requirements. These 
considerations discussed in that paper are already incorporated in the German 
AIS 31 national standard (as well as prerequisite for device approval) for testing 
physical random number generators. 

5 Implementation Choices 

5.1 Randomness Sources 

The software random number generators. Our decision to incorporate 
several different algorithms for the generation of the numbers was to base the 
whole design on generators relying on different principles of operation and se- 
curity so as to increase the difficulty of attacks aiming at guessing the number 
sequence. Different security principles imply that an attacker would face more 
difficulties in guessing as it would be necessary to break all of these principles. 
All the cryptographic primitives that will be described are fully reconfigurable 
in terms of their key sizes (i.e. the sizes modifiable at the implementation level). 
These sizes can be changed sufficiently frequently, depending on cryptanalytic 
advances. 
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We included two algebraic generators. One of them, BBS was proposed by 
Blum, Blum, and Shub (see [3]) is one of the most frequently used cryptograph- 
ically strong pseudorandom number generators. The second generator involved 
in the random number generation protocol is the RS A/Rabin generator and it is 
based on the RSA function (see in [1]). These works have shown proof of security, 
but these are typically too slow in many applications, but we had enough time 
to include them in our mix. 

The other two secure generators we used are based on the encryption algo- 
rithms DES and AES which are more often used. We used the implementations 
provided by version 2.5.3 of the mcrypt library (available at [18]). The key sizes 
were 64 bits for DES (56 bits effective) and 192 bits for AES. In order to have 
number generators from the encryption algorithms, DES and AES are used in 
their CFB (Ciphertext Feed-Back) mode and they operate as follows: an initial 
random vector is constructed from a seed processed as described in Section 4 and 
then DES and AES are invoked as many times as the bytes we wish to generate. 
In particular, every time the encryption function is called, a byte with all zeros is 
encrypted (always in CFB mode, which means re-encrypting the ciphertext) and 
the encryption result is the output of the generator. The cryptographic strength 
of the two generators is based on their encryption counterparts assuming the 
entire block is unpredictable. 

We further employed two techniques that are used to fortify and increase 
variability of weak generators (even though our generators are strong). One of 
them employs two shuffling algorithms for combining the output of the random 
number generators: Algorithm M, proposed by MacLaren and Marsaglia [15] and 
Algorithm B proposed by Bays and Durham [2]. Algorithm M takes as input 
two sequences X n and Y n , and outputs a more random sequence. The algorithm 
actually is shuffling the sequence X n using elements of the sequence Y n as indexes 
into the sequence X n . Thus, the elements of the new sequence are the same with 
those of X n but in different order. Algorithm B is similar to M, but it requires 
only one sequence as input. The output is, again, a shuffled instance of the input. 
Both algorithms are described in detail in Knutlr’s book [11]. 

Another technique for achieving extended variability in the lottery is to com- 
bine the four generators (which are viewed as “independent functions” ) using the 
bit-wise XOR operation, and to allow the protocol to swap, periodically (accord- 
ing to some predetermined internal schedule), to different sub-set combinations 
of the generation of the random numbers. 

Physical random number generators. The seeds of any software random 
number generator must, eventually, be drawn from a physical source of ran- 
domness. After considering the various physical sources of randomness within a 
computer (e.g. /dev/random in LINUX, fluctuations in hard disk access times, 
timing crystal frequency jitter, etc.) and evaluating the trade-off between easiness 
in using and quality of output, it was decided to use commercial hardware gen- 
erators known to pass a number of demanding statistical test (e.g. DIEHARD). 
Moreover, it was important to include more than one physical sources (with 
outputs XORed) as it is not uncommon to have, after some time, harmful clevi- 
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ations in the physical characteristics of the devices from which noise is drawn. 
These fluctuations, in turn, may cause the appearance of detectable biases in the 
produced number sequences. XORing, however, a biased physical source with a 
good one helps decreasing the bias. 

The component of the implementation responsible for physical randomness 
generation is actually comprised of three separate hardware-based random num- 
ber generators: (i) One based on the phase differences of the clocks of the com- 
puter’s motherboard. These differences are tapped by the function VonNeu- 
mannBytesQ, written by Adam L. Young, which produces a stream of random 
bytes based on these phase differences. As their authors state, this function is 
based on truerand() by M. Blaze, and J. Lacy, D. Mitchell, and W. Schell [14] (ii) 
A commercial device placed on one of the ISA slots of a computer that produces 
random bits on demand via appropriate system calls: this device is the ZRAN- 
DOM random number generator built by of the German company Westphal 
Electronics (for product overview, consult [25]), and (iii) The commercial device 
SG100, which is a hardware random number generator connected to the serial 
port of the computer. It is provided by the Swedish company Protego Informa- 
tion AB (for product overview consult [21]). We used three sources of physical 
randomness for increased security and in order to guard against malfunction of 
any one of them. 

5.2 State Stamping 

We needed to assure that the drawing is based on a given random seed indepen- 
dent of the coupons, yet that no modification of state would be acceptable. A 
simple way to meet this requirement was to mix the coupon file as is with the 
truly random (and committed to) seeds drawn from the hardware devices and 
then drive the software generators. As the coupon file is, generally, too big to 
be combined in a usable way with the seeds drawn from the physical random 
number generators, we used its much smaller hash value instead (see Figure 2, 
Genl). The hash function we used is RIPEMD-160 (see [5]). The Verifier can 
later check that the right random bits (committed to earlier) were used in this 
mixing. The commitment makes the mixing non-malleable in the sense that the 
system’s state cannot be changed given the record at the Verifier. 

5.3 Seed Processing 

As we mentioned above (Section 3.4), we used the Naor-Reingold function, or 
NR for short, for processing the seeds to assure that whatever biases still exist, 
a pseudorandom function will process the random seed. (This assumes that we 
made sure at the start that seeding the NR function key is done with very 
strong random bits). The seed processing via a pseudorandom function seed can 
be common to the Generator and the Verifier who both possess the NR key. The 
Verifier can privately make sure the function was applied correctly. This check 
can also be done via a non-interactive zero-knowledge proof. We further note that 
an alternative approach to this stage can be the use of the more recent “verifiable 
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(pseudo)random functions” as defined in [19], where audit of the correctness of 
a pseudorandom function can be checked as a public verification utility. 

Regarding the NR function, a key for it is a tuple (P, Q,g , a), where P is a 
large prime, Q is a large prime divisor of P— 1, g is an element of order Q in Zp 
and a = (ao, ai, ■ ■ ■ a n ) is an uniformly distributed sequence of n + 1 elements in 
Zq. For every input x of n bits, x = x\ . . . x n , the NR function is defined as: 

fp,Q, g ,a = (g a °) = mod P 

In our implementation, the size of P is 1000 bits and the size of Q is 200 bits. 
Note that we applied a pseudorandom function for this both randomizing the 
result and so that this serves as a commitment that based on its inputs its 
outputs can be checked if and when an internal audit is required (one can verify 
the output based on given inputs, directly relying on the security of the verifier. 
As mentioned above, alternatively, audit can be achieved in a zero-knowledge 
fashion, given the NR function’s public description). Since the NR function is 
pseudorandom, revealing input-output relationships does not hurt its security 
in this case. The portion processed via a pseudorandom function, is combined 
with a physical random source portion in order to take advantage of physical 
randomness as well, in case it is the best source we have. 

5.4 Encryption, Signing and Authenticating 

The Generator and the Verifier, are each equipped with an RSA key pair. At 
start-up they construct this pair and exchange their public keys. Then the com- 
mitments, the sets of numbers, as well as the seeds, that originate from the 
Generator are first encrypted and then signed using the shared secret key. This 
keeps any transmission private within the mechanism as a layer of protection. 
Before the encryption, however, we used the Simplified Optimal Asymmetric En- 
cryption Padding , or SAEP [4] . With the SAEP protocol, a padding on the bits 
of the message packet is performed aiming at achieving semantic security and 
chosen ciphertext security (in the random oracle model). Note that typically, a 
hybrid encryption is used in applications, but given our performance require- 
ments and the specific nature of our messages within the application, we can 
afford using public key encryption. A possible key size for the encryption is 1000 
bits and for the signature 2000 bits. The number of zeros in the SAEP protocol 
can be equal to 100 and the random number required can, also, have 100 bits. 
Note that signatures are performed over committed encrypted (thus random) 
values. The Verifier, after receiving the packet, decrypts it using the same se- 
cret key and verifies that it originated from the legal Generator. This avoids the 
risks associated with authentication through, e.g., IP address checking, password 
phrase exchange etc. The RSA pairs used for signing can be refreshed after a 
drawing is completed. This is perhaps an exaggerated precaution due to the large 
key sizes. In general, refreshment can be less granular. Note that a uew public 
RSA key can be certified by being signed with the old keys this achieves forward 
secrecy (namely, when the system is compromised past signatures are valid). 
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5.5 Seed Commitment and Reproduction of Received Numbers 

In order to ensure that the Generator actually used the seeds it claims to 
have used for the current drawing, the Generator and the Verifier execute a 
bit-commitment protocol based on the RSA encryption scheme and the hash 
function RIPEMD-160. After this processing, the commitment is sent to the 
Verifier and then the Generator can get the hash of the file of coupons and 
then the Generator produces and sends to the Verifier the seed and the resulting 
numbers of the current drawing. Upon receipt of the numbers, the Verifier uses 
the seed to which the Generator committed itself to in order to reproduce the 
received drawn numbers. If the reproduced numbers match the ones sent by the 
Generator, the numbers are deemed legal and are made public. Otherwise, the 
protocol stops and issues a warning. 

6 Discussion 

In this paper we have described a general protocol for the support of a national 
electronic lottery system. To the best of our knowledge this is the first publicly 
described system focusing on the core number generation and auditing process. 

We have argued why electronic lotteries are an exceptionally challenging type 
of financial applications, and that there are many factors that should be consid- 
ered for a robust protocol designed to support an electronic lottery. The genera- 
tion of sequences that are exceptionally difficult to guess is only one such factor, 
but one should take measures against many possible attacks on the generation 
as well as on the entire system operation and management process. 
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Abstract. Chameleon signatures are non-interactive signatures based 
on a hash-and-sign paradigm, and similar in efficiency to regular signa- 
tures. The distinguishing characteristic of chameleon signatures is that 
their are non-transferable, with only the designated recipient capable of 
asserting its validity. In this paper, we introduce the first identity-based 
chameleon hash function. The general advantages of identity-based cryp- 
tography over conventional schemes relative to key distribution are even 
more pronounced in a chameleon hashing scheme, because the owner of 
a public key does not necessarily need to retrieve the associated secret 
key. We use the identity-based chameleon hashing scheme to build the 
id-based chameleon signature and a novel sealed-bid auction scheme that 
is robust, communication efficient (bidders send a single message), and 
secure under a particular trust model. 

Keywords: Digital signatures, secure hash functions, chameleon hash- 
ing, sealed-bid auctions 



1 Introduction 

Chameleon signature schemes were introduced in [1], A distinguishing feature of 
chameleon signature schemes is that they are non-transferable, i.e. a signature 
issued to a designated recipient cannot be validated by another party. While 
not universally verifiable, chameleon signatures provide non-repudiation: If pre- 
sented with a false signature claim, the signer can prove that the signature is 
forged, while incapable of doing so for legitimate claims. Accordingly, the signer’s 
refusal to invalidate a signature is considered equivalent to her affirmation that 
the signature is valid. 

Unlike undeniable signatures [2-6], which also provide non-repudiation and 
non-transfer ability, chameleon signatures are non-interactive protocols. More 
precisely, the signer can generate the chameleon signature without interacting 
with the designated recipient, and the latter will be able to verify the signature 
without interacting with the former. Similarly, if presented with a forged signa- 
ture, the signer can deny its validity by revealing certain values. These values 
will revoke the original signature and the forged one simultaneously, and the re- 
vocation can be universally verified. In other words, the forged-signature denial 

A. Juels (Ed.): FC 2004, LNCS 3110, pp. 164-180, 2004. 
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protocol is also non-interactive. There also exist non-interactive versions of un- 
deniable signatures [7]. Chameleon signatures are considerably less complex, at 
the sacrifice of not conferring the signer the ability to engage in non-transferable 
secondary proofs of signature (non-)validity. 

Chameleon signatures are based on the well established lrash-and-sign para- 
digm, where a chameleon hash function is used to compute the cryptographic 
message digest. A chameleon hash function is a trapdoor one-way hash function: 
Without knowledge of the associated trapdoor, the chameleon hash function 
is resistant to the computation of pre-images and of collisions. However, with 
knowledge of the trapdoor, collisions are efficiently computable. 

When a chameleon hash function is used within a haslr-and-sign signature 
scheme, it permits the party with knowledge of the trapdoor to re-use the sig- 
nature value to authenticate other messages of choice. In particular, if the hash 
function is part of the recipient’s public key, then the signature is publicly ver- 
ifiable by no one other than the intended recipient. On the other hand, if the 
recipient re-uses the hash value to obtain a signature on a second message, the 
signer can prove knowledge of a hash collision, since the original signed message 
and the claimed signed message have the same hash value. Because computing 
hash collisions is infeasible for the signer, possession of such a collision is seen 
as proof of forgery by the signature recipient. 

1.1 ID-Based Chameleon Hashing 

In this paper, we propose the first ID-based chameleon hashing scheme. ID- 
based cryptography is an alternate form of public-key cryptography that does 
not use certification authorities or certificates. Instead, an ID-basecl scheme de- 
fines “identity strings”, which are nothing more than a special string format 
to describe real entities (persons or machines). For instance, an identity string 
could be an e-mail address, a URL, a person’s address, or any other unambigu- 
ous reference. The public keys are derived from these identity strings by means 
of a public algorithm, which is part of the scheme description. Any entity that 
can be described with an identity string (as specified in the particular scheme) 
has automatically a public key. Since the identity string is a ‘natural’ way to 
refer to the entity, anyone who knows the entity will also be able to compute 
the entity’s public key, without having to look it up in a key distribution cen- 
ter. Instead, the owner of the key is responsible for contacting an escrow server 
to obtain the secret key associated to his public key. Identity-based cryptogra- 
phy was originally introduced in the classical paper [8], which described id-based 
identification and signature schemes. Despite several efforts, id-based encryption 
eluded researchers until recently [9, 10]. 

As with other cryptographic primitives, such as encryption and regular digital 
signatures, there are considerable advantages to be gained from employing an 
ID-based chameleon hash scheme over a regular scheme. For instance, a signer 
can sign a message to an intended recipient, without having to first retrieve 
the recipient’s certificate; in fact, the signer can sign a message to the recipient 
before the recipient has registered with the system and obtained the secret key. 
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This reduces the negative network effects that make it hard to deploy public key 
infrastructures. 

One limitation of the original chameleon signature scheme ([1]) is that signa- 
ture forgery results in the signer recovering the recipient’s trapdoor information. 
Such feature has some advantages: For instance, since with the knowledge of 
the trapdoor the signer can compute other collisions, she can prove knowledge 
of a collision without revealing the original message signed. This message hiding 
permits the signer to deny forged messages without the onus of confirming the 
original signature. However, the signer can use this trapdoor information to deny 
other signatures given to the recipient, whether or not the recipient tried to re- 
use the corresponding hash values. In the worst case, the signer could collaborate 
with other individuals to invalidate any signatures which were designated to be 
verified by the same public key. This creates a strong disincentive for the recipi- 
ent to forge signatures, partially undermining the concept of non-transferability. 
If a third party is aware of the potential damage to the recipient that would 
result from the forgery of a signature, she will likely believe the authenticity of 
a recipient’s claims. 

Non-transferability is more convincing if the scheme is such that forgery of 
a hash value does not compromise the long-term key of the recipient. Clearly, 
this can be accomplished in any chameleon hashing scheme if the public keys 
are changed often. However, one now has a key distribution problem. The signer 
must be able to retrieve the most recent public key for the recipient, most likely 
by interacting with the recipient itself. The protocol then ceases to be non- 
interactive, at least in a practical sense. 

The scheme we present permits the signer to use a different public key for 
each transaction with a recipient, without having to retrieve a new certificate: 
The signer concatenates the recipient’s identification information with a string 
which uniquely identifies the transaction. Notice that the recipient does not need 
to retrieve the associated secret key to verify the signature ’s validity. Only if the 
recipient wishes to compute a collision and a forgery does he need to recover the 
secret key. Clearly, the key escrowing function is provided by the scheme manager 
for the bona fide reason that non-transferability, i.e., the ability of the recipient 
to forge signatures, is a property of the scheme that protects the legitimate 
signer. We remark that collision-forgery still results in the trapdoor information 
- now associated to a single transaction key - being recovered. Therefore, if the 
recipient produces a hash collision, the signer may deny the original message by 
providing a different collision, still enjoying the message hiding property. She 
will not be capable, however, of denying signatures on any other messages. 



1.2 Our Results 

To summarize, chameleon signature schemes introduced in [1] have the following 
properties. 

— Non-repudiation: The signer cannot deny legitimate signature claims. 

— Non-transferability or non-universal verifiability. 
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— Non-interactive. 

— Practical and efficient: The algorithms have costs comparable with those of 
standard signature schemes. 

— Semantic security: The hash value does not reveal information about the 
message signed. 

— Message hiding: The signer does not have to reveal the original message to 
deny the validity of a forgery. 

— Convertibility: A variant of the chameleon signature can be transformed into 
a regular signature by the signer. 

The scheme we present in this paper enjoys all the attributes above, with the 
added characteristics of being ID-based: 

— ID-based: Parties can sign messages for recipients, even if these recipients 
do not yet have the corresponding secret keys. Also, signers do not need to 
retrieve public key certificates of the intended recipient. 

— Lightweight key distribution/refreshment: Public keys do not need to be 
distributed after a refreshment. Secret key retrieval is optional for recipients. 

— Stronger non-transferability: The penalty for the recipient for engaging in 
forgery can be restricted to the loss of the original signature. 

We describe in later sections some applications which make use of these 
extra properties of the ID-based scheme. These applications are not meant to be 
the only motivation for the primitive we are introducing, but only illustrative 
examples of its potential uses. 

2 ID-Based Chameleon Hashing 

We assume that all system users are identifiable by a bit-string easily derivable 
from public knowledge about the individual. For instance, it could be the user’s 
e-mail address, augmented by some information such as an expiration-date. We 
call such a string an identity string. Formally, an ID-based chameleon hashing 
scheme is defined by a family of efficiently computable algorithms: 

Setup: A trusted party, the key escrow, runs this efficient, probabilistic algo- 
rithm to generate a pair of keys SIC and VIC defining the scheme. It pub- 
lishes VIC and keeps SIC secret. The input to this algorithm is a security 
parameter(s). 

Extract: An efficient, deterministic algorithm that, on inputs SIC and an identity 
string S , outputs the trapdoor information B associated to the identity. 
Hash: An efficient, probabilistic algorithm that, on inputs VIC, an identity string 
S, and a message m, outputs a hash value h. 

Forge: An efficient algorithm that, on inputs VIC, an identity string S, the trap- 
door information B associated with S (i.e., the output of Extract(S/C, S)), 
a message m! , and a hash value h of a message m, outputs a sequence of 
random bits that correspond to a valid computation of Hash^/C, S, m') 
yielding the target value h. 
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Repeating a computation of the hash function involves knowledge of the 
random choices made by the algorithm. We use also the notation Hash (S', m,r) 
to denote the deterministic algorithm that takes as inputs an identity string, a 
message and a string of random bits. (This notation leaves implicit the public 
key of the trusted party.) In practice, the Forge algorithm needs as input the 
random string r leading to a valid computation of h = Hash(S, m,r) and then 
can output a second r' ^ r such that also h = Hash(S, m' , r'). We denote the 
deterministic algorithm by Forge(S, B, m, r, h, m'), where B = Extract(S/C, S). 

2.1 Security Requirements 

In establishing the security of a chameleon hashing scheme, one may consider 
vulnerabilities against different attacks. A total break would be an attack result- 
ing in the recovery of the secret key SIC of the trusted party. This would permit 
the attacker to obtain the trapdoor information associated to any given identity 
string. 

A lesser powerful attack model involves extracting the trapdoor information 
of some identity string, not necessarily a meaningful string, chosen by the at- 
tacker, i.e., an existential attack on the extract protocol. In this case, the string 
very probably does not correspond to the identity of any real-world party. Such 
an attack is dangerous inasmuch as it can lead to an advantage in forging hash 
collisions for hash values published by real-world entities. 

Any attack is said to be successful if it accomplishes collision forgery. 

Definition 1. (Collision forgery): A collision-forgery strategy is an efficient, 
probabilistic algorithm that, given identity string S, message m, and random 
bits r, outputs another message m! and random bits r' , such that Hash(S l , to, r) 
= Hash(5, m',r'), with non-negligible probability. 

We say that the hashing scheme is secure against existential collision forgery 
by passive attacks if no collision-forgery strategy against it exists. However, to 
model an active attacker that could compromise various users and obtain their 
secrets, we must also allow oracle queries to the Extract(-) algorithm as part of 
the collision-forgery strategy. (Clearly, querying Extract) •) on the identity string 
of the target is not permitted.) 

Definition 2. (Resistance to collision forgery by active attacks): Let S be a 

target identity string. Let m be a target message. The chameleon hashing scheme 
is secure against (existential) collision forgery by active attacks if for all four- 
tuples of non- constant polynomials fi(-), /2( - )>/3(‘)> and for large enough 

k, there is no probabilistic algorithm A which runs in time less than fi(k), makes 
at most f^k) queries to an Extract(-) oracle (on identity strings other than S), 
and succeeds with probability larger than in computing integers r and r' , 

and binary string m! , where in' to, such that Hash(5, to, r) = Hash(S', to', r'), 
where Hash(-) is an instance of the scheme with security parameter f^fk). 

The chameleon hashing scheme must also be semantically secure. From the 
hash value it is infeasible to determine which message is likely to have resulted 
in such value by an application of the hash algorithm. 
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Definition 3. (Semantic security): The chameleon hashing scheme is said to 
be semantically secure if, for all identity strings S, and all pairs of messages m 
and to', the probability distributions of the random variables Hash(£, m, r) and 
Hash(S, m',r ) are computationally indistinguishable. 

Note that the semantic security of a chameleon hashing scheme implies the 
non-transferability of the corresponding chameleon signature scheme. 



3 The Scheme 

Let r and k be security parameters. The scheme fixes a secure hash function 
Tt : {0,1}* — > {0,l} 2r , mapping strings of arbitrary length to strings of fixed 
length 2 r. Reasonable choices for an implementation of the scheme are r = 80 
and SHA-1 for Tt{-). 

The setup algorithm is similar to an RSA key generation step. The trusted 
party T generates two prime numbers p and q in the set {2 K_1 , . . . , 2 K — 1}. 
Let n = pq. The bit-length of n, £{n), is no less than 2k. Let C : {0,1}* — > 
{0, • • • , 2 2k ~ 1 } be a secure deterministic lrash-and-encode scheme mapping arbi- 
trary bit-strings to integers less than n. For instance, it is possible to use the 
deterministic version of EMSA-PSS encoding defined in [11, 12] 1 . 

T then generates a random prime integer v s.t. v > 2 2r , and such that 
GCD(u, (p — l)(g — 1)) = 1, i.e., v is relatively prime to the order (f(n ) of the 
multiplicative residues modulo n. Applying the extended Euclidean algorithm 
for the GCD, T computes w and z such that wv + z(p — 1 )(q — 1) = 1. 

T’s public key is ( n,v ). Its secret key is ( p,q,w ). 

We can now describe the extraction algorithm. Let S be the identity string 
associated to some party. First we apply the deterministic hash-and-encode 
scheme to obtain the element J = C(S ) in Z n . The secret key is extracted 
as B = J w mod n. Notice that being able to compute B from S should be infea- 
sible. In particular, if C is chosen as the EMSA-PSS encoding, then B is a secure 
RSA signature on the string S, under the public key (n, u). 

The Hash(-) algorithm is: 

Has h(S, m, r) = mod n, 

where, again, TL(-) is the secure hash function, and J = C(S). 

The Forge algorithm is: 

Forge(S', B , m, r, h, m 1 ) = r' = rB H(m)-H(m') mod n 



1 Clearly, any deterministic encoding method would suffice. However, EMSA-PSS is 
recommended because the security of its deterministic version (when seedLen=0 [11]) 
is shown to be loosely reducible to the security of the RSA function in the random 
oracle model. 
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Note indeed that 

Hash (S,m',r') = 

_ j7i(m') r v j^v(H(m)— 

j'H(m') jvw('H(m)— TC(m , ))y t v 

j7i(m)—7i(m') j,v 

— jH(m) r v 

= Hash(S', m, r). 

3.1 Security Analysis 

As remarked above, the extraction algorithm requires knowledge of the trapdoor; 
obtaining the secret key from the private key without knowledge of the trapdoor 
requires forgery of a secure RSA signature. We now extend this argument to the 
other security requirements. 

Theorem 1. The chameleon hashing scheme is resistant to forgery under active 
attacks, provided that the secure RSA signature scheme is similarly resistant. 

The proof is simple, so we sketch it here. Given a collision, Hash(S', m, r) = 
Hash(S', m', r'), it is possible to extract the secret key B associated to the public 
key J = C(S). 

j'H(rn) r v _ jH(m’) r lv ^ {r' fr) V — j'HW-Hjm') ^ r ' f r — p'H(rn)-H(m') 

Now, each hash value is the binary representation of a positive integer of 
value smaller than 2 2r , and so the absolute value of A = Ti (rri) — Tt(m') is also 
smaller than 2 2r . Since v is a prime integer larger than 2 2r , it follows that these 
values are relatively prime, i.e. gcd(Z\,t;) = 1. Using the Extending Euclidean 
algorithm for the GCD, one computes a and /3 such that a A + (3v = 1. B can 
now be extracted: 

(r'/r)“ J 0 = B aA+0v = B. (2) 

Recall that he secret key B is a secure RSA signature on the identity string 
S , as remarked above. Hence, being able to compute collision forgeries for target 
strings implies in the capability of computing secure RSA signatures on messages 
of choice. □ 

Theorem 2. The chameleon hashing scheme is semantically secure. 

This is because all elements of the RSA ring are w-powers when v is relatively 
prime to the factors of the modulus n. Thus, given a hash value 2 and any 
message m, there is exactly one random integer r, with 0 < r < (p — l)(g — 1), 
such that Hash(S', m, r) equals z, namely r is equal to the v-tli root of zJ~ n ( m ' > .□ 
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4 ID-Based Chameleon Signatures 

Our hash function shares all the benefits of any ID-based construct (such as 
ID-based encryption or signature schemes), in particular: 

— There is no need to retrieve the certificate of the intended recipient. The 
hash function can be computed from publicly available identity information 
(e.g., the recipient’s email address). 

— The hash function can be computed under a recipient’s identity even if such 
recipient does not even exist or will join the system at a later time. 

— Exposure of secret keys can be minimized by customizing the identity in- 
formation under which the hash is computed (e.g., by concatenating time 
information to the identity of the recipient). 

A chameleon signature scheme ([1]) is a signature computed over a chameleon 
hash function. The recipient can verify that the signature of a certain message 
in is valid but cannot prove to others that the signer actually signed m and not 
another message. Indeed, the recipient can find collisions of the chameleon hash 
function, thus finding a message different from to which would pass the signature 
verification procedure. 

An ID-based chameleon signature on to consists of a traditional signature 
scheme, such as RSA or DSA, computed over the ID chameleon hash of to under 
the hashed identity J of the intended recipient. In particular, the signer generates 
a random r and computes: 

Sid — {Sign(S, Hash(S', m, r)), m, r}, 

where Hash(S l , m, r) = mod n is the id-basecl chameleon hash function 

computed for J = C(S). 

As suggested in [1] , an authenticated description of the hash function should 
also be added whenever such a description is not publicly available. As already 
mentioned, Sign(-) can be any standard signature scheme. In particular, it can 
also be implemented as any identity-based signature scheme, such as the Fiat- 
Shamir [8] or Guillou-Quisquatter [13]. This way, the verification process would 
be also ID-based since the signature can be verified from the identity of the 
signer. 

The above signature could be repudiated by a malicious signer who claimed 
that the recipient had forged the signature. But a trusted third party, or judge, 
could intervene to settle the dispute by asking the signer to provide a pair of 
values, different from (to, r), which would pass the signature verification pro- 
cedure. If the signer does not provide such a pair then the signature on m is 
considered valid. If the signer does provide a different pair ( m',r ') ^ ( to, r ), 
which passes the signature verification procedure, then the judge can conclude 
that the recipient has cheated and the signature on to is marked as invalid. 

As with all identity-based schemes, only the trusted third party can extract 
the secret key - the value B such that J = B v mod n. One fundamental fea- 
ture of an identity-based chameleon signature scheme, computed under a hashed 
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identity J, is that the recipient does not have to know the secret B unless he 
wants to forge the signature. Interestingly, this adds a new flavor to the identity- 
based cryptography in general: The user does not have to retrieve the secret to 
terminate a transaction unless he wants to diverge from the basic scheme. This 
is somehow different from the identity-based encryption where one has to nec- 
essarily retrieve the secret in order to decrypt messages or from identity-based 
signatures where one has to have the secret in order to start signing messages. 
In our case, the recipient may never ask for the secret but still successfully com- 
plete all transactions. However, the recipient can potentially obtain the secret 
from the trusted third party at any time which makes the original signature 
non-transferable. (A verifier does not know whether the recipient queried the 
trusted third party or not.) 

4.1 Message Hiding 

When a dispute takes place, it is often desirable to protect the confidentiality of 
the original message even against the judge. As suggested in [1], whenever the 
recipient cheats, the judge can solve any dispute without knowing the message 
originally signed by the signer. Indeed, it would be enough to reveal any col- 
lision of the chameleon hash function to convince the judge that the recipient 
cheated. This can be easily accomplished since the secret trapdoor information 
associated to the recipient’s public key is revealed whenever a collision of the 
chameleon hash function is known. For instance, suppose the signer computes 
the signature on the pair (to, r) and the recipient finds a collision and claims 
that the signature is on ( m',r During the dispute resolution, the judge re- 
veals ( m',r '), enabling the signer to compute the trapdoor, as follows: First, the 
signer calculates r'/r = ). Then, B is extracted given that J = B v 

is known and that GCD(H{m) — = 1 always holds. For details, see 

section §3.1 and the proof of Fact 1. 

Once the signer knows B , she can use the recipient’s Forge(-) algorithm to 
compute a new collision ( m",r ") and provide it to the judge, proving that the 
recipient cheated while keeping the original pair (m,r) private. 

4.2 Customized Identities 

Notice that anyone knowing a collision can find the recipient’s secret B. Similarly, 
this happens with the original scheme in [1] where the secret key corresponding 
to the public key used for the hash computation is revealed. This works as a 
deterrent to forging. However, if the recipient is unwilling to forge a signature, 
in order to avoid exposing his secret key, the non-transferability property of 
chameleon signature schemes is somewhat weakened. Third-party verifiers may 
be inclined to consider valid any signatures proposed by the recipient, upon 
knowing his hesitation in forging them. Would a recipient forge a signature 
when this might jeopardize all other transactions involving his public key? The 
identity-based chameleon hash function offers a natural way to solve this problem 
without requiring the recipient to interact with the signer. Indeed, the hash can 
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be computed under a customized identity J; for instance, J could be the result 
of applying a hash-and-encode function C(-) to the identity of the recipient, 
concatenated with the identity of the signer, plus some transaction identifier: 

J = C (identity .recipient || identity signer || transaction^ D) . 

In this case, the scheme should stipulate that the secret key B will be provided 
only to the recipient, identified as the person whose identity prefixes the string 
used to form the public key J. 

Whenever public keys are employed, one should in principle check whether 
a public key has been revoked or not. The use of properly customized identities 
eliminates this need. If the customized identity is unique to each message signed, 
the signer is certain that the corresponding secret has never been exposed since 
it has not even been computed by the trusted authority. In this regard, we 
stress again that the recipient does not have to retrieve the secret key to verify 
the signature. In a practical system, recipients would be eventual signers, and 
thus would have an interest in recovering secret keys occasionally, to ensure 
that the trusted party works correctly and that the non-transferability property 
holds. Clearly such frequency could be considerably lower than the frequency of 
transactions the recipient participates in. 

4.3 Message Recovery 

In case of forgery, the recipient’s key compromise results in the signer being 
capable of claiming any message as the one originally signed. Moreover, it be- 
comes impossible for the signer to prove which message was the original one. In 
some applications, this may not be an acceptable outcome. Circumstances may 
be such that the signer has an interest in being capable to affirm the original 
signature if she so desires. This situation has been addressed in [1], and the so- 
lution can be applied to our scheme. The convertible variant of the basic scheme 
provides the signer with a non-interactive algorithm to transform any instance 
of the chameleon signature into a universally verifiable instance. 

A different possibility is that the application requires that the original mes- 
sage be recoverable even without the signer’s cooperation. In these cases, it may 
be necessary to add to the signature some additional information about the 
message itself. One possibility is to include in the signature an encryption of the 
pair (?n,r) computed under the public key of the judge. That is, the signature 
becomes: 

Sid = {Sign(S, Hash(5', m, r), PK[(m, r)]), m, r}, 

where the public-key encryption is assumed to be semantically secure 2 . In prac- 
tice, one would sign a hash of the encryption, so as to compute the signature on 
parameters of fixed size. 

2 This is required to maintain the non-transferability of the signature once augmented 
by the encrypted message. Informally, a semantically secure encryption is a random- 
ized encryption that protects all the bits of the plaintext. In particular, if one of 
two publicly known messages is encrypted, no-one can tell which of the two was 
encrypted by just looking at the ciphertext. 
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The above construction eliminates the need for the signer to store signatures 
in order to repudiate forgeries, shifting the storage burden onto the recipient, as 
in regular (digital) signatures. With this scheme, the signer is protected against 
a malicious recipient that produces a forgery and then prevents the signer from 
participating in the adjudication of the claim - a denial-of-service attack on 
the signer. This scheme does not provide the recipient with a mechanism for 
adjudicated convertibility, because the recipient has no guarantee that the signer 
has encrypted the correct information during the signing step. It only protects 
the recipient against a later “change of heart” by the signer. 



5 Sealed-Bid Auction System 

In this section, we describe a very simple sealed-bid auction scheme based on ID- 
based chameleon signatures. We stress that this application is not meant to be 
the sole motivation for the primitive we are introducing, but only an illustration 
of some of its potential uses and benefits. 

In public seller auctions, also called English or forward auctions, bidders 
compete by announcing successive bids, with the highest offer acquiring the 
good being auctioned. Alternatively, public buyer auctions (also called reverse 
auctions) are used by the Government and by businesses to procure supplies and 
services. In reverse auctions the lowest bid wins. 

By contrast, in sealed-bid auctions (whether forward or reverse), bidders are 
allowed to submit a single, sealed bid. The seller stipulates a period for accepting 
bids, at the end of which the bids are unsealed and compared. The winning bid 
is revealed so that all competitors can ascertain its winning merits. 

The Internet has transformed the auctioning business. Auction systems were 
some of the earliest success stories in the commercial Internet, and continue 
to grow profitably. While the site eBay® is a household name, multiple other 
sites cater to the vast segment of business-to-business procurement. The auc- 
tion type (forward/reverse) varies but proxy bidding is commonly found. Proxy 
bidding-based auctions are intermediate between open and sealed-bid auctions. 
As in public auctions, the current winning price is openly determined, constantly 
changing while the auction is ongoing. However, in similarity with closed auc- 
tions the maximum bid (or minimum bid in a reverse auction) is not known to 
competitors. 

Proxy bidding has a few characteristics that makes it less desirable than 
sealed-bid auctions, at least in some circumstances. For instance, late bidders 
(those who submit their bids closest to the auction closing time) are at an ad- 
vantage, raising both questions of fairness to all bidders and of possible under- 
estimation of the market value of the product being auctioned, which is unfair 
to the seller. As the value, variety, and complexity of items auctioned online in- 
crease, it is possible that some markets will favor auction systems that optimize 
for factors such as efficiency and fairness, for instance by featuring sealed-bid 
auctions [14]. 
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5.1 Closed Auction System Models 

Standard models for sealed-bid auction systems require that the following prop- 
erties hold: 

Correctness: The correct winner and clearing price are determined in each 
auction. 

Confidentiality: Bids remain hidden before the action ends. 

(Optionally): Only the winning bid and the clearing price are revealed. Losing 
bids remain private. 

Fairness: Bidders do not learn information about competing bids before the 
auction closes, neither can they change their bid after the closing of the 
auction. 

Non-repudiation: The winner cannot repudiate his bid. 

Robustness: No party, whether or not a legitimate party in the auction, may 
maliciously or accidentally compromise the correct functioning of the system. 

There has been considerable research on secure, closed e-auction systems, 
such as [15-21]. Most of these systems are fairly complex, employing techniques 
such as secure multi-party evaluation of predicates on encrypted bids. The gen- 
eral idea is that the bidders submit encrypted bids. The auctioneer, or other 
bidders, cannot determine from the encrypted values the original bids, but can 
cooperate to determine the highest bid value and the auction winner. It is neces- 
sarily true that only systems based on encrypted bids can achieve the strongest 
possible security guarantees. In particular, without keeping the bids encrypted 
before the auction closing time, it is not possible to provide fairness without 
making some additional trust assumptions, because if a bid is ever available as 
clear-text its content could be communicated to competitors. Similarly, losing 
bids must never be decrypted if full privacy is desired. 

In practical applications one must consider the optimal trade-off between se- 
curity properties and other worthwhile goals such as lower communication com- 
plexity (reducing the number of messages sent greatly simplifies system design 
as a whole), computational costs and administrative ones (such as key manage- 
ment issues). Our approach considers the design of a system that is extremely 
practical. The design goals are as follows: 

Thin clients: The client software/hardware (assisting the bidder function) 
should be of minimal complexity. Optimally, it should consist of a non- 
customized (or minimally customized) web browser or even a text-messaging 
application. 

Stateless clients: A stateless protocol is much easier to implement correctly 
and to analyze for its security properties. Moreover, less state information 
results in greater robustness. 

Low communication: The communication complexity of a distributed proto- 
col can be defined either as the number of bits sent or the number of mes- 
sages sent. From a practical perspective, the number of messages influences 
the complexity of protocol implementation and analysis, while the number 
of bits is important whenever network bandwidth is at a premium. 
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Asynchronous communication model: The only timeliness constraint is 
that auctioneer and bidders can agree on whether a bid is submitted af- 
ter or before the closing of an auction. 

Auction rule flexibility: This is an important requirement for a general-pur- 
pose auction system. Different auction styles require different methods to 
determine the clearing price for the item(s). For instance, a (k + l)-auction 
is one in which k items are auctioned. The k- th highest bidders claim items, 
all at the same clearing price, which corresponds to the k + 1-st highest bid. 



5.2 The Auction Scheme 

We present a sealed-bid auction protocol satisfying all the above design goals, 
while providing only partially the security guarantees of the general model. We 
first describe a straightforward protocol, which provides non-repudiation: 



1. Each bidder sends a single signed message to the auctioneer, containing the 
bid information. 

2. The auctioneer publishes a receipt for each bid received. 

3. The auctioneer publishes the winning bid. (After auction closes.) 

The above protocol also reaches correctness, if the following conditions hold: 

— All bids submitted before the auction closes are accepted by the auctioneer. 
In particular, this implies that all parties can agree on the auction closing 
time - a soft synchronization requirement. 

— Consistency of view of the published information must be assured. 

We remark that both conditions are required of any robust protocol. We 
assume that the underlying communication channel between bidders and the 
auctioneer is such that both properties above hold, as the techniques for achiev- 
ing such guarantees are well understood and can be achieved in practice. Under 
such assumption, the above protocol is robust. 

On the other hand, this protocol achieves neither fairness or privacy unless 
the auctioneer can be trusted not to publish any undue information. As alluded 
to before, fairness and absolute privacy can only be achieved by performing all 
computations (such as clearing price and auction winner determination) on en- 
crypted bids. Use of encryption increases the communication complexity (once 
to collect bids and another to perform decryptions) and makes robustness harder 
to achieve. (For instance, one must ensure that encryption keys can be recovered 
for the winning bid or else there is no robustness of the non-repudiation guaran- 
tee.) This poses the question of whether partial fairness and privacy guarantees 
can be achieved without resorting to computation on encrypted information. 

Our approach is to simplify the trust model. Clearly, if the auctioneer is 
entirely trusted then privacy and fairness can be achieved simply by protect- 
ing the bid-submission channel. If the auctioneer may arbitrarily collude with 
bidders then complex cryptographic techniques are required to ensure fairness 
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or privacy. These are not the only two possible trust models. Alternatively, the 
auctioneer might not be trusted to keep the bids privately and yet also untrusted 
by dishonest bidders to provide the correct information about competitors’ bids. 
This model does not protect against auctioneer-bidder collusions but can accom- 
modate situations in which a hacker or malicious insider breaks into the system 
and tries to peddle the information to a suspectful bidder. 

Notice that the simple scheme described above is still vulnerable under this 
restricted trust model. An insider could easily convince a suspicious bidder of 
the correctness of the peddled information because the bids are signed. However, 
if the bids were to be signed using a chameleon-hashing scheme that would not 
be the case. As the signature on bids are non-transferable, the suspicious insider 
cannot be assured of the correctness of the reported bid value. We now describe 
this in some detail. The final protocol is simply: 

1. Each bidder sends a single signed message to the auctioneer. The mes- 
sage contains the bid terms, signed using the identity-based chameleon 
signature scheme. 

2. The auctioneer publishes a receipt for each bid received. 

3. The auctioneer publishes the winning bid. (After auction closes.) 



The bids are submitted to the auctioneer in the clear, but since they are 
signed using chameleon signatures, their validity can only be determined by the 
auctioneer. The auctioneer publishes the signatures on each bid, which acts as a 
receipt on the bid, but does not publish the value of the bids themselves. If the 
auctioneer were to cheat and reveal to a bidder some of the competitors’ bids, 
that bidder would have no means to determine whether or not the auctioneer 
is telling the truth. Yet, since chameleon signatures are non-repudiatable, the 
bid winner must make good on her offer: In case of disputes, a judge would 
determine the validity of the bid. 

An important point is that it be believable that the auctioneer might cheat. 
If regular chameleon signatures are used, it is unlikely that an auctioneer would 
cheat by forging bids because, by cheating, it would reveal a collision of the cha- 
meleon hash function. This in turn discloses its long-term secret key, affording the 
colluding bidder to repudiate his bid during any later auctions as well as during 
the current one. However, the non-transferability of a chameleon signature comes 
from the fact that the recipient of such a signature may be willing to forge it. If 
such an event is unlikely then the chameleon signature behaves, de facto, much 
like a traditional signature scheme. 

An alternative solution would be for the auctioneer to generate temporary 
public keys, perhaps one for each item being auctioned. At the highest level of 
granularity, the auctioneer might issue a different public key for each potential 
bidder on the item. Clearly, such public keys cannot be pre-computed in large 
systems with millions of users such as eBay®. That implies that a bidder must 
first contact the auctioneer about a particular auction and request the respective 
key. While correct, this solution requires a second round of communication when 
compared to the previous one. Instead, an identity-based scheme allows the 





178 Giuseppe Ateniese and Breno de Medeiros 



bidder to generate a signature under a customized hashed identity J of the 
following form: 

J = C {auctioneer Jd || bidder Jd || itemJd). 

This can be done without interacting with the auctioneer and would offer the 
highest level of granularity. The auctioneer does not have to retrieve the secret 
corresponding to J unless he wants to forge the signature. In case of forgery and 
subsequent dispute, only the secret related to a particular transaction from a 
specific bidder is revealed, leaving the rest of the transactions valid. This makes 
any signed bids completely useless for other bidders and non-transferable. 

Our identity-based scheme allows users to participate in digital auctions that 
interface with real world. For instance, items for bidding can be labeled by ref- 
erence strings. Unlike regular public keys, reference strings can be mnemonic, 
facilitating entry by potential buyers. For instance, realtors could put a sign in 
front of houses available on the market with a realtor identity and a number 
identifying the property. Auctioneers could advertise items for auction in public 
newspapers, including item reference strings. (Today, in the US, government- 
seized property auctions and foreclosure-related auctions must be advertised in 
newspapers to comply with the law.) Potential buyers would view the property 
and could type that information into an e-mail or text-messaging capable com- 
puting device to submit a bid. Not needing to download a public key simplifies 
the process, adding convenience: System users would be able to submit bids from 
low-bandwidth communication devices such as cell phones and PDAs. The above 
scheme is even more convenient if clients, such as cell phones, take advantage 
of an architecture of strong authentication (permitted by the device smartcard, 
in the case of cell phones) to eliminate the need for dedicated cryptographic 
software and key management on the client side. The bids could be forwarded 
to a proxy signature server (for instance, the site of the mortgage banker) which 
would chameleon-sign the bid on behalf of the user. 

To summarize we have designed a very simple e-auction protocol that achieves 
correctness and non-repudiation in all cases, and which achieves fairness and 
privacy only under certain trust assumptions: The auctioneer is allowed to mal- 
function or to be dishonest, and the same is allowed of bidders, but the model 
does not handle the case when bidders and the auctioneer may collude. How- 
ever, the simplicity and convenience afforded by the proposed scheme would be 
of considerable practical significance. In particular, we would like to point out 
the statelessness of clients and the fact that protocol requires the sending of 
a single message by bidders. Notice that the identity-based properties of the 
chameleon signature are essential to enable the single-message feature within 
this trusted model: Alternative methods would require schemes for delivering 
temporary keys, for instance. The use of an identity-based scheme eliminates 
the need of a certificate distribution architecture. 

Apart from (and partly because of) being very efficient, and achieving the 
lowest possible message complexity, the protocol is quite robust. We believe 
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that the importance of robustness has been overlooked in some of the existing 
protocols. Without robustness, the strong fairness and privacy conferred by some 
of the protocols based on encryption cannot be achieved in practice, because in 
any realistic implementation one must consider how a protocol performs under 
attacks or when parties malfunction. 

6 Conclusions 

Krawczyk and Rabin introduced in [1] the concept of chameleon hashing. In 
this paper, we extended their work by introducing an ID-based chameleon hash 
function. ID-based cryptography in general enjoys advantages relative to key 
distribution over conventional schemes. In the case of chameleon hashing these 
advantages are multiplied by the fact that the owner of a public key does not nec- 
essarily need to retrieve the associated secret key. Therefore, ID-based chameleon 
hashing can support single-use public keys very efficiently. We exploit this fea- 
ture to design a novel application of chameleon signatures to e-auction schemes 
that enjoys efficiencies difficult to achieve with other cryptographic techniques. 
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Abstract. In many markets, it can be beneficial for competing firms 
to coordinate their actions. However, such arrangements usually have 
the problem that nobody has an incentive to adhere to the agreement. 
In this paper we investigate a way for two companies to communicate 
together and agree on a coordinated strategy in such a way that both 
participants have an incentive to keep to the agreement. 

We provide a more efficient solution to the game theoretic problem solved 
by Dodis, Halevi and Rabin in [DHROO] : two selfish rational parties want 
to select one of a list of pairs, according to some probability distribution, 
so that one party learns the first element and the other learns the second, 
and neither gains any other information. In game theory terms, the prob- 
lem is to achieve a correlated equilibrium without the trusted mediator. 
Our solution is more efficient than [DHROO] in terms of the probability 
distribution. 



1 Introduction 

The Internet is composed of participants who are often neither malicious nor 
perfectly honest, but are selfish and (reasonably) rational just like the traditional 
game theory players. This paper is part of a growing body of work (including 
for example [AET01], [FPSS02], [FPS01], [NPS99], [NR01], [RT02]) that aims to 
consider both the agents’ computational limitations and their incentives when 
solving problems. In this case, we solve an existing problem in game theory 
by making computational assumptions and using cryptography. Our solution is 
more efficient than the one in [DHROO] in terms of one of the parameters (a 
probability distribution) . 

Consider for example two competing furniture stores, selling roughly the 
same secondhand chairs from failed dot-coms for roughly the same prices. Each 
week, the CEO of each store may choose either to retain the usual prices or to 
have a special sale and discount the chairs substantially. They must choose in 
advance (so they can’t just wait to see what the other does). If both decide to 
retain their usual higher prices then both make a moderate amount of money 
that week. If one retains the normal prices but the other goes on sale, then the 
latter will have far more customers and make more money than in a normal 
week, while the former will make less. However, if both decide to have a sale 
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Table 1 . Payoffs and probabilities for the game 



Payoffs Probabilities 

No Sale Sale No Sale Sale 



No Sale 


9,9 


5,12 


No Sale 


5/11 


3/11 


Sale 


12,5 


0,0 


Sale 


3/11 


0 



at the same time then this is a disaster because they will not get many more 
customers than usual but they will receive much less money per customer. An 
example of the possible payoffs is shown in Table 1, where the first number of 
each pair is the payoff of the row player and the second is that of the column 
player. The state with the highest average income (per store) is the one in which 
neither offers a sale. Unfortunately, there is a reason to expect that the stores 
will not remain in this state: if either side is confident that the other will not 
offer a sale, then it has an incentive to offer one itself, thus gaining 12 instead of 
9. In game theory terms, (No Sale, No Sale) is not a Nash equilibrium. Indeed, 
there is no Nash equilibrium better than the ones where one player offers a sale 
and the other doesn’t. 

A Nash equilibrium might be mixed, meaning that each player randomizes 
among several different actions. In a (mixed) Nash equilibrium, the players’ 
random choices must be independent. However, in some games (such as this 
one) the players can earn a higher average payoff by randomizing according 
to some correlated joint distribution. The idea of correlated equilibrium is that 
there is a trusted party who helps the players to do the correlation. It chooses a 
particular move for each player from a commonly-known distribution over pairs 
of actions, then it tells each player what action to take. (More precise definitions 
of Nash and correlated equilibria are given in section 2.) 

It is natural for cryptographers (and game theorists) to ask whether the play- 
ers can achieve the same payoff without the trusted party. That is, if the players 
are allowed to talk amongst themselves before the game, can they correlate their 
random choices without giving away any information that will destroy the equi- 
librium? In the game theory literature, Barany [Bar92] showed that this was 
possible for four or more players, but impossible for two computationally un- 
bounded players (except in some uninteresting cases). Dodis, Halevi and Rabin 
[DHROO] have shown that by making computational assumptions, it is possible 
to solve this problem for two players using cryptography. It is a Nash equilib- 
rium for the players to execute the cryptographic protocol that simulates the 
trusted party correctly and then choose the appropriate move. (There is also a 
solution by Urbano and Vila [UV02], but their cryptographic protocol has secu- 
rity flaws.) The contribution of this paper is to provide a protocol that solves 
the same problem as [DHROO] and is more efficient in terms of the probability 
distribution required. 

Although the protocol presented in [DHROO] is very efficient in terms of the 
security parameter, it is designed for uniform distributions and is not efficient in 
terms of the probability distribution that the parties are supposed to be taking 
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their moves from. The protocol presented in this paper is much more efficient in 
this parameter. (The form of the protocol that is designed for selfish agents is 
less efficient than [DHROOj’s in terms of the security parameter, which is itself 
a function of the end-of-game payoffs.) Although most examples of correlated 
equilibria in game theory textbooks (for example, [OR94] and [FT91]) do use a 
uniform distribution, there is no particular reason to expect that most correlated 
equilibria should be uniform or nearly uniform. For example, the game in Table 1 
has a correlated equilibrium with the distribution given in the table. It also 
has a correlated equilibrium based on a uniform distribution among the same 
three pairs of actions, but that equilibrium has a lower average payoff. Section 2 
contains proofs of these claims. 

In the following section we give some background game theory and explain 
the problem more carefully. In section 3 we present a protocol that is secure 
against honest-but-curious players, and in section 4 we show how to compile the 
protocol for security against one malicious player. We then show that two selfish 
players would execute the protocol correctly. 

2 Definitions and Game Theory Background 

In this section we provide enough background to explain the problem that we 
are trying to solve. 

Definition 1. A Game for two players consists of: 

— for each player i £ {0, 1} a nonempty set A. * of actions, and 

— for each player i £ {0, 1} a utility function Ui : Ai x A 2 — > R. 

The utility function represents how happy a player is with a certain outcome. 
The larger its value, the better-off the player. Players may randomize their ac- 
tions. A strategy in a strategic game is a probability distribution over actions. 
(The notion of strategy will be broadened for extended games later in this sec- 
tion.) A Nash equilibrium is a self-enforcing agreement by each agent to choose a 
certain strategy. Given the agreement, neither player has an incentive to deviate 
from it unilaterally. The main restriction is that the random choices made by 
the two players must be independent. 

Definition 2. A Nash equilibrium of a game G is a pair of independent strate- 
gies (u^ov)) such that for any ai £ Ai and ci 2 G A 2 , we have > 

ui(ai,a%) and u 2 (cr * , ) > i( 2 (cr*, a 2 ). 

The idea of a correlated equilibrium is that there is a trusted third party 
who recommends an action to each player before the game. It chooses the pair 
of actions according to a probability distribution that is common knowledge. 
Hence the recommended action gives each player some information about its 
opponent’s action, since it knows the distribution of what will be recommended 
to its opponent conditioned on its own recommended action. Each player’s rec- 
ommended action should be its best strategy, given this information. This gives 
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us a generalization of Nash equilibrium in which the players’ random choices 
may be correlated. 

We write a^a* f° r the probability distribution on the action recommended 
to player 2, conditioned on action being recommended to player 1. The utility 
ui(ai, 1 J 2 |a*) is player l’s expected utility for choosing action a\, assuming that 
player 2 acts according to the distribution a^\a\. Similarly, it 2 (cr*|a 2 , 02 ) is player 
2’s expected utility for 02 , given its information. 

Definition 3. A correlated equilibrium is a pair of strategies s* = (< 7 *, cr|) such 
that for any (a*, a 2 ) in the support of s* , for any aq € Ai and 02 € A 2 , we have 
CT 2 |aj) > CT 2 |af) and U2((7*|a2, a?i) > U2((7*|a2, 02 ). 

It is easy to see that for any Nash equilibrium there is a correlated equilibrium 
with the same distribution on pairs of actions (and therefore the same average 
payoff). Correlated equilibrium payoffs can be outside the convex hull of Nash 
equilibrium payoffs. For example, consider the game in Table 1. We first show 
that the probabilities given in the table produce a correlated equilibrium. Since 
the game is symmetric, we need only consider the incentives of player 2, the 
column player, given what it has been told to play. The conditional probabilities 
for player l’s action given what has been recommended to player 2 are: 

Pr{a\ = No Sale|a 2 = No Sale) 

Pr(ai = Sale|d 2 = No Sale) 

Pr{a\ = No Sale|a 2 = Sale) 

Pr (ai = Sale|a 2 = Sale) 

Suppose the column player is told to play Sale. Then it can be certain 
that the row player has been told to play No Sale, so the column player gets 
its maximum possible payoff, namely 12, for doing as it is told. Suppose in- 
stead that the column player is told to play No Sale. Then its expected payoff 
for being obedient and playing No Sale is 9Pr(ai = No Sale|a 2 = No Sale) + 
5Pr (ai = Sale|d 2 = No Sale) = l\. If it decides to disobey and play Sale in- 
stead, its expected payoff is 12Pr(ai = No Sale|a 2 = No Sale) = 7|, so it has 
no incentive to deviate. Hence this is a correlated equilibrium. 

There are two pure-strategy Nash equilibria, (No Sale, Sale) and (Sale, 
No Sale), both of which have an average payoff per player of 8^. There is also 
a mixed Nash equilibrium in which each player plays No Sale with probability 
5/8. This gives an average payoff of 7\. The correlated equilibrium in the table 
gives the players an average payoff of 9 x 5/11 + 12 x 3/11 + 5 x 3/11 = 8^-, 
which is better than any Nash equilibrium. 

Furthermore, a correlated equilibrium with a non-uniform distribution can 
give a strictly higher average payoff than any with a uniform distribution in the 
same game. For example, in the game in Table 1, the uniform distribution over 
(Sale, Sale), (Sale, No Sale), (No Sale, Sale) also gives a correlated equilibrium, 



5/11 

” 3/11 + 5/11 
= 5/8 
= 3/8 
= 1 
= 0 
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but this has an average payoff of (5 + 12 + 9)/3 = 8| which is lower than the 
8yy achieved with the non-uniform distribution in the table. 

It is interesting to wonder what happens for an arbitrary game when the 
trusted party is allowed to send more informative messages, rather than just 
informing each player of the action it is supposed to take. Upon first glance it 
seems that this might increase the set of equilibria, but it is a standard result 
in game theory (see [0R94] prop. 47.1) that it doesn’t. For every equilibrium 
that is based upon some complicated messages from the trusted party, there is 
another that has the same distribution on action pairs (and therefore the same 
payoffs) in which the trusted party tells each player what action to choose and 
nothing else. This is why we adopt Definition 3 instead of a more complicated 
variant. 

An extended game is a game preceded by a period of unrestricted communica- 
tion among the parties. This is called “cheap talk” in the game theory literature, 
because the talk doesn’t directly affect anyone’s utility - the payoffs for the ex- 
tended game are just the payoffs for the standard game that is played in the last 
step. A strategy in such a game consists of both a way of conducting the “cheap 
talk” (which may be randomized and may depend on messages received from 
others) and a choice of action afterwards. 

One technical difficulty is defining such standard notions as Nash equilibrium 
given computational assumptions. We follow [DHROO] in assuming that players 
ignore any improvements in their utility that are negligible in the security pa- 
rameter. For example, they don’t bother trying to guess each other’s private 
keys, because they know they have only a negligible probability of success. 

Definition 4. [DHROO, Definition 3] A computational Nash equilibrium of a 
game is a pair of independent strategies (u^crj) such that 

— both and a 2 are PPT computable. 

— for any other PPT computable strategies ay and <J 2 , there exists a negli- 
gible function p such that on security parameter k, we have Ui(al,a 2 ) > 
ui(cti, a 2 ) + p{k) and u 2 (al, c|) > U 2 (ct*, cr 2 ) + p(k). 

The idea now is to devise a cryptographic protocol that selects a pair of 
actions from some distribution and reveals to each player what action it should 
take and nothing else. We will call this the correlated element selection problem. 
It should be a computational Nash equilibrium of the extended game for each 
player to execute the protocol correctly during the “cheap talk” phase and then 
choose the action that is recommended by it. 

Dodis et. al. present an efficient protocol for solving the correlated element 
selection problem with the uniform distribution. They show how to augment this 
protocol to make it secure against malicious parties, which is enough to make it 
a computational Nash equilibrium for selfish parties to execute the protocol and 
then take the action that they are supposed to, assuming the uniform distribution 
was indeed a correlated equilibrium. Their protocol is very efficient for uniform 
distributions, but the solution for non-uniform distributions is to repeat some 
of the pairs until choosing uniformly from the resulting list gives the correct 
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distribution. This has an asymptotic efficiency on the order of the least common 
multiple of the denominators of the probabilities. Our contribution is a protocol 
for solving the same problem that is more efficient in terms of the probability 
distribution: its asymptotic efficiency is on the order of the inverse of the smallest 
non-zero probability. This is always smaller (except in the uniform case and some 
other simple cases, when it is equal), because the inverse of a number in (0, 1] 
is smaller than or equal to the denominator, so the smallest of the inverses is 
smaller than or equal to the least common multiple of the denominators. 

In both protocols, the longest message is a list sent in the first step. For 
example, for the game in Table 1 our protocol uses a list of length [11/3] = 
4 while the one in [DHR00] uses one of length l.c.m {11,11,11} = 11. If we 
wanted a correlated equilibrium that consisted of choosing one pair of actions 
with probability 1/100, one with probability 1/99 and another with probability 
1 — 1/99 — 1/100, then Dodis et aV s protocol would use a list of 9900 messages, 
while our protocol would use 100. In the uniform case, the lists have the same 
length for both protocols. However, our messages are larger by a constant factor 
(about 3). 

2.1 Summary: How the Protocol Fits in to the Game 

The traditional cryptographic assumption is that at most one player is malicious, 
meaning that it might deviate from the protocol in any computationally feasible 
way, while the other is completely honest. The protocol must either produce the 
correct answer and reveal no other information, or stop early without revealing 
information (See [Gol03] for a more precise statement). However, in this case we 
can’t assume that one player is honest. The usual game theoretic assumption is 
that both players are rational. We assume that each player might deviate from 
the protocol (in any computationally feasible way) if this increases its expected 
utility (by a non- negligible amount). 

In cryptography, it usually suffices to show that the honest player will notice if 
a malicious player tries to cheat. However, in our setting both players still have 
to choose an action after the protocol, so we must describe what action they 
should choose after detecting that the other has cheated. We follow [DHR00]: if 
player 1 detects that player 2 has cheated, it punishes 2 by choosing the action 
a\ that minimizes max a2 {w 2 (ni, 02 )}- This is called player 2’s minimax action. 
Likewise, if player 2 catches player 1 cheating, it minimaxes 1. It is shown in 
[DHR.00] that the cheating player’s minimax utility is always smaller than its 
correlated equilibrium payoff, so it has an incentive to be honest as long as its 
probability of being caught when cheating is sufficiently large. We use standard 
cryptographic techniques to make sure this is the case. 

Consider the extended game defined by a period of “cheap talk” followed by 
the playing of a game. Let V be the protocol for correlated element selection 
given in section 4, parameterized for a particular correlated equilibrium of the 
game. Let Soonest the strategy, “follow V until you detect the other player 
cheating. If you reach the end without detecting cheating, choose the action 
output at the end of V . Otherwise, punish your opponent to its minimax level.” 
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A precise statement of our main result is: 

Theorem 1. It is a computational Nash equilibrium of the extended game for 
each player to follow strategy 5/j 0nes p 

This result means that two selfish players could be expected to implement 
the protocol correctly and then choose the recommended moves, thus achieving 
a correlated equilibrium without the trusted party. 

While both players following strategy Soonest is a computational Nash equi- 
librium, it is not subgame perfect because it involves an “incredible threat”. A 
player may have no incentive to punish the other even if it is caught cheating, 
since the minimax state may hurt the punisher as much as the cheater. Such 
incredible threats are allowed in Nash equilibria because we assume that each 
player chooses its strategy in advance and does not maintain control of the al- 
gorithm. However, for some games a subgame perfect equilibrium is possible: if 
the original (unextended) game has, for each player, a Nash equilibrium that 
gives that player a sufficiently small payoff, then that state can be used as pun- 
ishment rather than a minimax. In that case, a rational player that detects the 
other cheating and can still control what move to make will have no incentive 
not to punish the other correctly. 



3 Protocol for Honest-but-Curious Players 

We present a protocol for the correlated element selection problem that is ef- 
ficient in terms of both the security parameter and the required probability 
distribution. This protocol has message size and computation time linear in the 
security parameter and linear in the inverse of the smallest probability in the dis- 
tribution on pairs of actions. This protocol is secure in the honest-but-curious 
model, meaning that the players are allowed to record everything they know 
about the interaction and try to learn from it, but they are not permitted to 
deviate from the protocol in any other way, including the tossing of fair coins. 
In then next section, we will show how to make the protocol secure against one 
malicious player or two selfish players. There may be interesting applications for 
this protocol other than finding correlated equilibria. 

We first describe a useful cryptographic primitive used in [DHROO] and also 
in our protocol. Blindable encryption allows someone who knows only the public 
key to transform a ciphertext of a message m into a random ciphertext of m+m ' , 
for any value of m! that it chooses. (In the following definition, when we want 
to write the random inputs to a function explicitly, we separate them from the 
non-random inputs with a semicolon). 

3.1 Blindable Encryption 

Definition 5. [DHROO, Definition f[. A public key encryption scheme £ with 
public key pk is blindable if there exist (PPT) algorithms Blind and Combine 
such that for every message m and every ciphertext c € Enc p k (m) : 
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— For any message m! (also referred to as the ‘‘blinding factor'’ ) , Blind p k{c,m') 
produces a random encryption of m + m! . 

— If ri,r 2 are the random coins used by two successive “blindings”, then for 
any two blinding factors mi, m 2 , 

Blind p h(Blindpk(c,mi;ri),m 2 ',r 2 ) = Blind p k(c,mi + 771 - 2 ; Combine p k(ri,r 2 )) 

Two blindable encryption schemes are ElGamal and Goldwasser-Micali 
[GM84] . 

Blindable encryption provides an easy way for player 1 to ask player 2 to 
decrypt a message encrypted with 2’s public key, without player 2 learning any- 
thing about what it has decrypted. Player 1 simply chooses a random blinding 
factor, blinds the ciphertext, asks player 2 for the decryption and then subtracts 
the blinding factor from the result. We will use this idea twice in this protocol. 
Blindable encryption also provides a useful way to make a given ciphertext unrec- 
ognizable. Suppose there are several encryptions of the same message. Someone 
who knows the public key can blind a ciphertext by zero, producing a random 
encryption of that message. Even someone who knows the private key cannot 
tell which encryption of the message the new ciphertext was derived from. 

3.2 The Protocol 

Figure 1 describes the improved protocol for correlated element selection. There 
is a longer explanation in the following text. We assume that all numbers are 
expressed to k = O(k) bits of precision, where k is the security parameter. 
Choosing a random number from a real interval means choosing randomly from 
among the (finitely many) /c-precision numbers in that interval. 

The protocol is a variation on Dodis et alls protocol for correlated element 
selection. The common input is a list of triples {(aj, 6i,pi)}” =1 , meaning that the 
pair of actions (oj,6j) should be chosen with probability pi. The output is an 
action Oj for the chooser and the corresponding action bt for the preparer. Let pi 
denote Y^)=\Pj- We assume p n = 1. The probabilities divide the interval [0,1) 
into n intervals [0,pi), [pi,f> 2 ), ■ ■ ■ , [Pn- 1 , 1), with each interval corresponding to 
a pair of actions. 



(a i-A) 


(02,62) 




(d n _i , b n — 1 ) 


b n ) 


0 J 


61 } 


h 


Pn - 2 1 


1 



Preparation. The preparer generates a random number ro G [0, 1) and shifts the 
probability intervals along by adding ro to each and “wrapping” back around to 
zero for those sums that are greater than 1. That is, let i* = min{i|ro +Pi > 1}. 
The preparer creates new intervals [0 ,pi* + ro — 1), [ pi * + ro — l,Pi*+i + ro — 
l),...,[p„_i + r 0 - l,r 0 ),[r 0 ,pi + r 0 ), . . . , [p»._ 1 + r 0 ,l). It shifts the corre- 
sponding action pairs along with the intervals, so for i < i* the action pair 
( a,,bi ) corresponds to the interval [pi-i + ro,f>i + r 0 ), while for i > i * , (aj,6,) 
corresponds to the interval [/),_ 1 + ro — 1 , Pi + ro — 1) and the action pair (a** , bi * ) 
is split over the two intervals [0,pi* + ro — 1) and [p;._ 1 + ro, 1). 
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Protocol CES 

Common inputs: List of pairs of actions with probabilities {(a,:, , public key pk, 

security parameter k. 

Preparer knows: secret key sk. 

Outputs: With probability pi, C outputs a; and P outputs hi. 

All calculations are done with &(k) bits of precision. 

P: 1. Shift and encrypt 

Choose a random r o G [0,1). 

Choose minimum l s.t. l/l < niin,-{p;} and divide [0, 1) into l equal-sized blocks. 

Let pi denote aQ d frac(x ) the fractional part of x 

For A = 1 . . . I make block A as follows: 

If there is an i with frac(p, + r o) G [(A — 1 )//, A /l), make block 
((Enc pk (a,i) , Enc pk (bi)), Enc pk (frac(l(pi + r 0 ))/l), (Enc pk (a i+ 1 ), Enc pk {b i+l )) 
Otherwise, choose a random q\ 6 [0, l/l) and make block 

(( Enc pk^ a i )> Enc pk( b ^' Enc pk^> ( Enc pk(°i )< Enc pk( b i')'> 

(where j = min{/ |/rac(pj/ + ro) > (A — 1 )/l}) 

Send the list of blocks to C. 

C: 2. Choose and blind 

Choose a random block ((c 01 ,c&, ),c p , (c„ 2 ,ct, 2 )) from the list. 

Choose a random blinding factor /Ji 
Send d p = Blind pk (c p , /3i ) to P. 

P: 3. Blindly decrypt probability 

Send p ' = Dec gk (d p ) to C. 

C: 4. Choose actions 

Let /> — // 3; . 

Generate a new random number /?2 ■ 

With probability Ip, set (e,/) = {Blind pk (c ai , fh), Blind pk (cb i ,0)) 

Otherwise set (e, /) = (Blind pk (c a2 , /3 2 ), Blind pk {cb 2 , 0)) 

Send (e, /) to P. 

P: 5. Decrypt and output 

Set b = Dec sk (e). Send 6 to C. 

Output Dec sk (f). 

C: 6. Unblind and output 

Set b = b — 8 - 2 - Output b. 



Fig. 1. A protocol for correlated element selection in the honest-but-curious model 




The preparer then chooses the smallest l £ N so that l/l < min,; {pj } , and di- 
vides the interval [0, 1) into l intervals of equal size, which will be called “blocks” . 
(This is why the resulting message length is linear in the inverse of the smallest 








190 Vanessa Teague 



probability.) Some blocks fall entirely within one of the shifted probability inter- 
vals (and hence correspond to only one pair of actions), while others overlap the 
border between two (and hence correspond to two pairs of actions). No block 
corresponds to three or more pairs of actions because the size of a block is chosen 
to be smaller than the smallest interval that one pair occupies. 



i 


M 1 


K 




1 


3i, bi) | 


(«: 


> b ?) I 



0 Pi* + r 0 - 1 p n + r 0 - 1 r 0 pi + r 0 p 2 + r 0 




Pi*-i + ro 1 



The idea is that the chooser will choose one of these blocks randomly and 
uniformly and will then choose randomly (but not uniformly) one of the actions 
represented by the block. Let frac(x) denote the fractional part of x. The preparer 
prepares the blocks in the following way: if the A-th block overlaps two shifted 
probability intervals (say that the block contains the value frac(pi + ro) for some 
i), it normalizes frac(pi + ro) by subtracting integer multiples of l /l to get the 
value p\ = frac(l(pi + ro))// in [0,1//). It then separately encrypts p\ and all 
four actions with its own public key, maintaining their pairing and order. Blocks 
that fall entirely within one shifted probability interval are easier to prepare, but 
must be made indistinguishable from the other kind of block: for these blocks, the 
preparer generates a random number q\ £ [0,1//) for the A-th block, encrypts 
it and then encrypts the pair of actions twice with different randomness. When 
all blocks are prepared, the preparer sends the list of blocks to the chooser. 



Decryption. We use a semantically secure encryption scheme, so it is infeasible 
for the chooser to tell whether the two pairs of actions in a block are actually the 
same pair or not. It chooses one of the / blocks uniformly at random and gets 
the preparer to blindly decrypt its probability p (that is, the chooser blinds the 
encrypted p with a random value, asks the preparer to decrypt the result and 
then subtracts the blinding value). The chooser then chooses the leftmost pair 
of actions with probability Ip and the rightmost otherwise. The chooser blinds 
its own action (the first one in the chosen pair) with a random value and blinds 
the preparer’s action with 0, then sends the result to the preparer. The preparer 
decrypts its own action (without knowing which of the blocks containing that 
action has been chosen) and the chooser’s blinded action. It sends the blinded 
value back to the chooser (without knowing what the unblinded value is). The 
chooser subtracts the blinding value to get the result. 

We need to prove that this protocol produces the right outputs with the 
correct probabilities, and that neither side gains any extra information. 

Lemma 1. Protocol CES securely computes the function of correlated element 
selection in the honest-but- curious model, with a negligible error in the probability 
of selecting any pair. 

Proof. Correctness: We will show that for all i £ {1, . . . ,n}, the action pair 
( ai,bi ) is chosen by the protocol with probability Pi. This is true even given a 
fixed r 0 . Suppose that pi+ro < 1. (The other cases are similar.) Let int(x ) denote 





Selecting Correlated Random Actions 



191 



the integer part of x. Then the number of blocks in which both pairs are (a,, b t ) is 
int(l(pi + ro)) — int(l(pi-i + ro)) — l. (Since l/l < Pi this is always non-negative.) 
There is one block in which (a*, 6*) is the leftmost pair only and another block 
in which it is the rightmost pair only. The probability of C choosing the leftmost 
pair in the former block is frac(l(pi + ro)); the probability of it choosing the 
rightmost pair in the latter block is 1 — frac{l{pi-\ + r 0 )). Therefore the chooser’s 
probability of selecting (oj,6j) is 

Pr (Get ( di,bi )) = [int(l(pi + r 0 )) - int{l{p i - 1 + r 0 )) - 1] /l + frac(l(pi + r 0 ))/l 
+ [1 - frac(l(pi - 1 + r 0 ))] /l 
= [l (pi + ro) - l(pi - 1 + r 0 )] fl 
= Pi 

So if the protocol is followed correctly then it produces action pairs according 
to the correct distribution. 

Secrecy: Informally, the preparer receives only three values: blinded encryp- 
tions of the chooser’s action and the probability pi that it is using, and a random 
encryption of its own action bi. The first two provide no information because 
they are blinded by a random value that the preparer does not know. The last 
provides no information other than bi, because any of the encryptions of bi that 
were sent to the chooser are equally likely to have produced that ciphertext after 
blinding with zero. The chooser learns only four (unencrypted) values: the index 
of the block chosen, the probability of choosing the leftmost pair in that block, 
which pair (leftmost or rightmost) was chosen, and its output action cq. The 
probability reveals no information, even combined with the index of the chosen 
block, because it is either a randomly chosen number independent of the input, 
or it is blinded by the factor r o which the chooser does not know. The choice 
of leftmost or rightmost pair also reveals no information because each pair of 
actions appears exactly the same number of times on the left and right sides. 

More formally, the preparer’s view can be simulated given its input and 
output bi by sending it the encryptions of random values in place of the blinded 
action and probabilities, and sending it a random encryption of bi in step 5. This 
produces a distribution identical to that of the protocol run. 

The chooser’s view can be simulated given its input and output a, by sending 
it a “prepared list” of the right form which may actually include encryptions of 
anything. When it chooses a blinding factor /?i for the probability, the simulator 
replies with a random value in [0, l/l). When the chooser chooses a blinding fac- 
tor /?2 for its action, the simulator chooses an action pair (cq, b/) according to the 
correct distribution and sends ai+fo to the chooser. This produces a distribution 
computationally indistinguishable from that of the protocol run. A distinguisher 
of the two distributions can defeat the semantically secure encryption scheme. 

We now need to enhance the protocol to make it very unlikely that either 
player can cheat in a way that improves its utility without being detected by the 
other. 
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4 Protocol Secure against One Malicious 
or Two Selfish Players 

We use zero knowledge proofs adapted from [DHROO] and a cut-and-clroose pro- 
tocol to transform the protocol from section 3 into one secure against a malicious 
player. After each step of the honest-but-curious protocol, the sender of the last 
message “proves” to the receiver that it has constructed the message correctly. 
The cryptographers’ view is that if one player is malicious it cannot gain an 
advantage over an honest opponent. More importantly for our purposes, it is an 
equilibrium for two selfish players to execute the protocol correctly, because any 
deviation is either unhelpful or likely to be detected and punished by the other. 

4.1 Probability Distribution Is Correct with One Faulty Player 

The only protocol steps that can’t be checked using zero-knowledge proofs or 
a cut-and-choose protocol are those that involve making some random choice 
according to a specified probability distribution. Since players can’t prove to 
each other that they have done this correctly, we will use the standard trick of 
arguing that as long as one of the players makes its random choices correctly, the 
outcome will be correct (which in this case means that the final pair of actions 
is chosen according to the correct probability distribution). The game theory 
view is that it is an equilibrium for both players to toss their coins fairly, since 
unilateral deviation makes no difference to the outcome. 

Lemma 2. Suppose that the players are allowed to deviate from the protocol only 
by altering their random coin tosses. Then if at least one player tosses its coins 
correctly, the final pair of moves is selected according to the correct probability 
distribution. 

Proof. If the chooser chooses its randomness correctly, then it is easy to see that 
the resulting distribution is correct. For the other case, suppose that the preparer 
correctly chooses ro uniformly at random from [0, 1) but that the chooser chooses 
its block according to a non-uniform distribution and chooses the leftmost pair of 
actions according to a (possibly randomized) function ch() that depends on the 
block chosen and the probability p decrypted by the preparer. Ch() outputs either 
L (for left) or R (for right). Since the encryption algorithm used is semantically 
secure, the distribution on blocks must be independent of the choice of ro- More 
importantly, CH() is independent of ro and the preparer’s other coin tosses given 
p. We will show that for all p, for all choices of the block, the probability (given 
p) that the chooser chooses a particular pair of actions is exactly what it should 
be. Fix the value of p and the chooser’s choice of block (call it A). Let Pi be 
the probability that the i-th action pair ( ) is chosen. We need to prove 
that Pi = Pi- Let rp denote the random coin tosses of the preparer (apart 
from ro) and let r CH denote the random coin tosses of the Ch() algorithm. Let 
Pit = Pr rc H (ch(p, A) = L) and P rf = Pr rcH (ch (p, A) = R). Recall that all the 
computations are done to k bits of precision. Then 
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Pi = Pr r 0 ! r P ,r CH [(Left pair is (a, . b t ) and CH(p, A) = L) 
or (Right pair is (a,, bi) and CH(p, A) = R)} 

= Pi t Pr ro ,rp (Left pair is ( ai,b t )) + P rt _Pry 0|7 . p (Right pair is ( a-i,bi )) 

= p lt Pr r 0 ,rp ( r 0 = (A - 1 )/l + p - Pi V (r 0 6 [(A/1 - Pi, (A - 1 )/l - pi- 1 ) A q\ = p)) 
+ p r l p r ro ,r P (ro = (A - 1 )/l +p — Pi -1 V (r 0 S [A/1 - p iy (A - 1 )/l - Pi-i) Aq\ = p)) 



= p , 



l/2 k + ( Pi - l/l)l/2 k 
l/2 k 



If 



+ ( 1 ~ P lt ) 



l/2 fc + ( Pi - l/l)l/2 k 
1 / 2 * 



= Pi 



The first equation is given by the independence of CH() from ro and the other 
coin tosses of the preparer, given p. The second is just the definition of what it 
means to have (a*, bi) in the left or right part of the A-th block. The third gives 
the probabilities for tq being in the required ranges, given p - the denominator 
is the a priori probability of getting a particular value for p. 

This shows that, as long as one party tosses its coins correctly, the output prob- 
ability distribution is correct. 

4.2 Preventing Deviation from the Protocol 

We use the same techniques as [DHROO] to prevent players from deviating from 
the protocol in ways other than making their random choices wrongly. After each 
round of the honest-but-curious protocol (except the first), the sender proves to 
the recipient in Zero Knowledge that it produced the message correctly. We can 
use the same proofs as [DHROO] for proving truthful decryption and proving 
that a certain ciphertext is truly a blinding of one from the original list. The 
only place where we must do this in an inefficient manner (differently to the 
method used in [DHROO]) is in the first message that the preparer sends to the 
chooser. Here we use a “cut-and-choose” protocol: the preparer prepares several 
candidate lists and the chooser selects one of them to be used in the protocol. 
The preparer must decrypt the rest, thereby proving to the chooser that they 
were prepared correctly. Of course, if the prover makes one incorrect list there is 
some chance that it will succeed in fooling the chooser. There is a known upper 
bound on the profit that the preparer can make by cheating (its greatest payoff 
in the game minus its equilibrium payoff), so the number of candidate lists must 
be large enough that its expected gain from trying to cheat is negative. This 
means that the length of the first message is linear in the payoffs of the game. 
The protocol in [DHROO] is actually logarithmic in the payoffs, because their 
security parameter needs to be at least long enough that the probability of the 
cryptography failing (either in the zero knowledge proofs or in encryptions) is 
a constant fraction of the game’s payoffs. Hence their methods for preventing 
protocol deviation are more efficient than ours in terms of the game’s payoffs. 

We can now prove Theorem 1, that it is a computational Nash equilibrium for 
everyone to execute the protocol correctly and minimax the other if it cheats. We 
have shown that a player that cheats (except by tossing its coins wrongly) will be 




194 Vanessa Teague 



detected and punished with high enough probability that it has no incentive to 
do so. We have also shown that a player that cheats by tossing its coins wrongly 
has no effect on the outcome if the other is honest, so there is no incentive for 
that kind of cheating either. Hence the “honest” strategy is a computational 
Nash equilibrium. Two competing, selfish and rational firms could use this to 
attain any correlated equilibrium payoff without using a trusted mediator. 



5 Conclusion 

There is a lot of interesting overlap between cryptography and game theory. 
In this paper we have given an efficient way of implementing a game theoretic 
solution concept that is impossible to implement without either cryptography or 
a trusted third party. This could be used by participants in all sorts of markets 
to coordinate their actions for their mutual benefit. We expect cryptography to 
be a useful tool for solving many other practical game theoretic problems that 
relate to the careful distribution of information. 
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Abstract. In an anonymous credential system a user can prove anony- 
mously the possession of credentials to a service provider. Multi-show 
and non-transferability are two important properties of such systems. 
More precisely, in a multi-show system the same credential can be used 
more than once without threatening anonymity, moreover, lending of 
non-transferable credentials is inconvenient. In this paper we give a con- 
struction for multi-show non-transferable credentials for which the owner 
can prove that the credentials satisfy access control policies expressed by 
means of linear boolean formulae. 



1 Introduction 

Privacy enhancing technologies focus on the deployment of infrastructures that 
protect user privacy in the digital world. Currently many services that are funda- 
mental for the worldwide economy are available on the Internet and many others 
are going to be supported. Several services are not accessible anonymously from 
everybody, but a form of access control is performed in order to distinguish 
qualified users (i.e., the ones that have enough rights to access the service) and 
unqualified ones. Current standard technologies implement such access control 
policies by requiring user identification (e.g., by using username and password or 
X509 [1] digital certificates), by retrieving user’s credentials from a local database 
and then by checking that user’s credentials satisfy a given access control policy. 
Such a typical scheme is secure, efficient, practical and guarantees that unquali- 
fied users do not get access to a restricted service. However such a scheme does 
not deal at all with user privacy protection since in each transaction between 
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a user and a service provider the user reveals his identity, the transaction can 
be logged and an accurate dossier of all activities performed by the user can 
eventually be extracted from the logs. 

In an anonymous credential system we have three types of players: organiza- 
tions, users and service providers. Typically, a user gets a credential certificate 
encoding the user credentials from an organization and uses the credentials to 
access services. Each service provider specifies which users are qualified to access 
the service as a function of the credentials of the user. Thus, before accessing 
the service the user and service provider engage in a protocol in which the user 
proves possession of (a credential certificate encoding) credentials sufficient for 
the service in question. In an anonymous credential systems it is desired that 
the service provider cannot link a request for the service with a specific user or 
with other past requests. Roughly, we now list the properties that an anonymous 
credential system should enjoy. 

1. Security: it is hard for a coalition of users to get access to a service without 
having the requested credentials. 

2. Multi-show privacy: a user during a transaction can prove possession of 
credentials and, at the same time, the service provider does not obtain any 
private user information. This holds even if the user interacts using the same 
credential certificate several times with the same (or other) service provider. 

3. Usability: a user that possesses a credential certificate should be able to 
prove general statements (in our case the satisfaction of linear Boolean for- 
mulae) over the credentials while preserving multi-show privacy. 

4. Non-Transferability: it should be inconvenient for a user to lend his cre- 
dentials to another user. 

5. Efficiency: the overhead in terms of communication and computation im- 
posed by the anonymous credential system to users and service providers 
must not heavily affect their performance. 

Related Work. An anonymous credential system can be based on the concept 
of proofs in which a user shows possession of some piece of information (the 
credentials) that satisfies some given conditions (e.g., the access control policy). 
A first implementation of these proofs, for the case in which the conditions are 
expressed by a monotone Boolean formula, can be traced back to the general 
results on statistical zero-knowledge proof systems by [2] with efficiency commu- 
nication improvements given by [3] . In [4, 5] these techniques are further explored 
and their applicability to real-life scenarios shown. In particular, Brands [4] pre- 
sented a Public Key Infrastructure in which a user can prove in zero knowledge 
that the credentials encoded by his certificate satisfy a given linear Boolean 
formula. Brands’ constructions are efficient since only a few modular exponen- 
tiations (i.e., the number of modular exponentiations is linear in the number 
of encoded credentials) have to be performed in order to prove that the cre- 
dentials encoded in the certificate satisfy a given linear Boolean formula. The 
main drawback of Brands’ certificates is that they are one-show in the sense 
that using the same certificate in two distinct transactions links the two trans- 
actions as performed by the same user. As a consequence of this weakness, a user 
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needs to obtain from the Certification Authority an unpractically large batch of 
certificates so that no certificate is used twice. 

In our construction we will be interested in multi-show certificates that can be 
used several times still guaranteeing unlinkability. We will base our construction 
on some techniques proposed in [4, 5] in order to achieve proofs of possession 
of credentials that satisfy a given linear Boolean formula and we extend such 
schemes in order to achieve the multi-show property. 

The first implementation of anonymous credentials has been presented in [6] 
where a third party is necessary in order to achieve unlinkability. Lysyanskaya et 
al. [7] proposed a general credential system that, however, is impractical being 
based on general one-way functions and zero-knowledge proofs. Moreover, they 
also presented an efficient one-show construction. The same drawback affects 
the solution proposed in [8]. The work of Camenisclr and Lysyanskaya [9] has 
improved these pioneering works. In [9] the authors proposed an anonymous 
credential system that is based on the strong RSA assumption and the DDH 
assumption. In the system of [9] it is possible to unlinkably prove possession 
of a credential supporting the multi-show property and the entities that release 
credentials can independently choose their cryptographic keys. More recently, 
Verheul [10] proposed a more efficient solution for multi-show credentials. The 
result is based on the assumption that for some groups the Decisional version 
of the Diffie-Hellman (DDH) problem is easy while its Computational version 
(CDH) is hard and on an additional ad-hoc assumption. 

The property of Brands’ constructions, by which general statements of the 
values encoded by a certificate can be proved, is not enjoyed by the works of [9, 
10]. Indeed, in such systems it is necessary to have one ad-hoc credential for each 
specific access control policy otherwise more information than the minimal one 
needed in each transaction is disclosed. 

Finally, in [11], Persiano and Visconti presented a non-transferable anony- 
mous credential system that is multi-show and for which it is possible to prove 
properties (encoded by a linear Boolean formula) of the credentials. Unfortu- 
nately, their proof system is not efficient since the step in which a user proves 
possession of credentials (that needs a number of modular exponentiations that 
is linear in the number of credentials) must be repeated k times (where k is the 
security parameter) in order to obtain a satisfying soundness. 

Thus, the state of the art presents efficient solutions that either require one 
credential certificate for each service [9, 10] but each can be used as many times 
as needed; or require one credential certificate for each time the user needs to 
access a service [4] but a certificate can be used for any service. 

Our contribution. In this paper, we present an anonymous credential system that 
is secure, multi-show, usable, non-transferable and efficient. In our system a user 
needs to obtain only one certificate to be used as many times as necessary with 
any service provider since our system enjoys the multi-show property. Moreover, 
in our construction we show how to enforce the non-transferability property. 
The security property of our system is based on new computational assumptions 
derived from the ones used in [12-14]. 
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2 The Model 

Our model consists of three types of players: 

1. The organizations , that release credential certificates to users. 

2. The users , each with a set of credentials. A user receives a credential certifi- 
cate encoding his credentials from an organization that he will then use to 
access services. 

3. The service providers, that offer services and have access control policies for 
their services. We assume that the access control policy for each resource of 
each service is represented by a linear Boolean formula over the required 
credentials. 

A credential system C consists of the following five algorithms 

(SetUp, Enroll, IssueCred, ProveCred, Verif yCred). 

Next, we summarize how these algorithms interact and which of the parties 
executes each algorithm. In Section 4 we will present an implementation of such 
procedures. 

1. System set-up: this step is performed only once by each organization in 
order to establish publicly verifiable parameters Pub (that will be used by the 
other procedures) and consists in executing algorithm SetUp on input the 
security parameter. The organization also obtains the private information 
Priv which corresponds to the public information Pub that she will use to 
release credential certificates. 

At the end of this phase, the organization is ready to release credential 
certificates. 

2. User enrollment: this step is performed jointly by the user and by an orga- 
nization and consists in executing the pair of algorithms (Enroll, IssueCred). 
The user has as input her credentials encoded by an m-tuple (aq, • • • , x rn ) 
and the public information published by the organization during the set up 
of the system. 

The organization verifies the credentials and then releases the credential 
certificate. 

3. Proving possession of credentials: this step is performed by a user ex- 
ecuting algorithm ProveCred interacting with a service provider executing 
Verif yCred in order to gain access to a service which is restricted to legiti- 
mate users. 

The user has as input her credential certificate, the credentials, the public 
information and the formula <P that encodes the access control policy. 

Our anonymous credential system guarantees the following properties: 

Usability: once a user has obtained a credential certificate CredCert for creden- 
tials (xi, ■ ■ ■ ,x m ) from the organization then CredCert can be used (as input 
to algorithm ProveCred) to successfully access any service with access control 
formula such that d>(xi, ■ ■ ■ ,x m ) = 1. In other words, the user has to inter- 
act only once with the organization in order to get her credential certificate. 
From then on, the same credential certificate can be used to access any service 
(provided that the credentials satisfy the access control formula) . 
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Security: it is computationally infeasible for a coalition of users to access the 
system without having a credential certificate; moreover, it is not possible to 
generate a new credential certificate even knowing a polynomial number of other 
credential certificates. 

We formalize the security property in the following way. 

Definition 1. LetC=( SetUp. Enroll, IssueCred. ProveCred, VerifyCredj be 

a credential system. We say that C is secure if for all probabilistic polynomial 
time algorithms A and for any formula $ the probability that A on input the 
public information Pub and a sequence of credential certificates corresponding to 
credentials not satisfying successfully interacts with algorithm Verif yCred on 
<P is negligible. 



Multi-show privacy: no information about the credentials owned by a user is 
leaked by the protocol executed to prove possession of credentials other than the 
fact that the credentials satisfy the access control formula d>. Moreover, two uses 
of the same credential certificate cannot be linked. 

We formalize the property of multi-show privacy in the following way. 

Definition 2. Let.C=( SetUp. Enroll, IssueCred. ProveCred, VerifyCredj be 

a credential system. We say that C is multi-show private if for any triple of 
adversarial algorithms (SetUp*, IssueCred*, Verif yCred*) there exists an al- 
gorithm S running in expected polynomial-time such that for any linear Boolean 
formida d>, for all (xi, • • • , x m ) for which d>{x\, ■ ■ ■ , x m ) = 1 it holds that 

S'(Pub) = (ProveCred(a:i, • • • , x m , CredCert, Pub, <P) 

<-> Verif yCred* (Pr iv, Pub, <P)) 

where (Priv, Pub) <— SetUp* (l fc ) and CredCert <— (Enroll(;ri, • • • , x m , Pub) «-> 
IssueCred* (Priv, Pub)). 

Roughly, the formalization above states that the interaction between a user 
possessing a certificate for credentials (xi, . . . , x m ) and a service provider (that 
could be the same organization that releases credential certificates and thus take 
as input Priv) can be efficiently simulated by an algorithm that has as input 
the public information and black-box access to the service provider. 

Moreover (formal definition omitted from this abstract) in our construction 
the multi-show privacy holds even if the same credential certificate is used a 
polynomial number of times for a polynomial number of different Boolean for- 
mulae. 

Our construction also enjoys the non-transferability property: it is “inconve- 
nient” for a legitimate user to share her credentials with other users. 

Finally, our construction is particularly efficient in the amount of information 
to be stored and in the amount computation to be performed (see Section 4.6) 
when a large number of credentials is considered used. 
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3 Background 

In this section we summarize the main cryptographic techniques that we use in 
our constructions. For further details see [15,4, 13]. 

We start by reviewing the notions of discrete logarithm and discrete logarithm 
representation. 

Definition 3. Given a group G of order n, and two elements g and y of G, the 
discrete logarithm of y to the base g, if it exists, is the integer 0 < x < n — 2 
such that y = g x . 

We stress that the discrete logarithm of y to the base g exists if and only if y 
belongs to the subgroup generated by g. This is the case, for example, if G is a 
finite cyclic group and g is a generator of G; in this case computing the discrete 
logarithm is considered hard. The discrete logarithm is also considered hard in 
the group 2T* where n is a composite integer. Indeed, if the discrete logarithm 
problem in Z* can be solved in polynomial time, then n can be factored in 
expected polynomial time. 

Definition 4. Let G be a group of order n and let y, gi , . . , , g m ^ 1 be elements 
of G. A ( G , gi, . . . , g m )-DL representation of y is a tuple (aq, . . . , x m ) such that 

0 < Xi < n — 1 for i = 1, . . . , m and y = gf 1 . . . gf^ 1 . 

Moreover, for i = 1, . . . , m, we call Xi the gi - part of the (G, g i, . . . , g m )-DL 
representation (aq, . . . , x m ) of y. 

Definition 5. Let e be an element of Zif co-prime with A (Z*,e)-root of 
y £ Z* is an element x £ Z* such that a f = y (mod n) . 

Note that if the factorization of n is unknown then computing e-th roots in Z* 
is assumed to be infeasible (this is the RSA assumption). 

We introduce the notion of RSA representation that has also been used in 
some of the constructions of [4, 5] . 

Definition 6. Let e £ Z* be co-prime with <f>(n ) and let y, gi, • • ■ , g m ^ 1 be 
elements of Ztf. A (Z*,e,gi, - ■ ■ ,g m )-RSA representation (RSAREP) of y is a 
tuple (aq, . . . ,x m , x) such that y = gi 1 ---gff n x e (mod n), 0 < Xi < e for 

1 = 1 , . . . , m and x £ Zf,. 

In [4] it is shown how to choose the parameters so that the RSA representation 
problem can be reduced to the RSA problem. 

3.1 Proofs of Knowledge 

We summarize the proofs of knowledge (PoKs) that will be used in our construc- 
tion, for details see [13,4, 16]. 

PoK of a discrete logarithm. On input (the description of) a cyclic group G 
of order n, a generator g of G, and an element y £ G, the prover P proves 
knowledge to the verifier V of x, the discrete logarithm of y to the base g. 




